From 93f2431a7f8fcd775567f0a607892f4e3ce8ed3c Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 13:40:47 +0000 Subject: [PATCH 01/23] Add RouteGroup tests for securing TLS using secrets Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/routegroups_test.go | 4 + .../routegroups/tls/tls-invalid-secret.kube | 1 + .../routegroups/tls/tls-invalid-secret.log | 1 + .../routegroups/tls/tls-invalid-secret.yaml | 88 ++++++++++++++++++ .../routegroups/tls/tls-invalid-tls.kube | 1 + .../routegroups/tls/tls-invalid-tls.log | 1 + .../routegroups/tls/tls-invalid-tls.yaml | 89 ++++++++++++++++++ .../routegroups/tls/tls-missing-host.kube | 1 + .../routegroups/tls/tls-missing-host.log | 1 + .../routegroups/tls/tls-missing-host.yaml | 91 ++++++++++++++++++ .../routegroups/tls/tls-missing-secret.kube | 1 + .../routegroups/tls/tls-missing-secret.log | 1 + .../routegroups/tls/tls-missing-secret.yaml | 79 ++++++++++++++++ .../routegroups/tls/tls-multiple-host.kube | 1 + .../routegroups/tls/tls-multiple-host.log | 2 + .../routegroups/tls/tls-multiple-host.yaml | 93 +++++++++++++++++++ .../routegroups/tls/tls-single-host.kube | 1 + .../routegroups/tls/tls-single-host.log | 1 + .../routegroups/tls/tls-single-host.yaml | 91 ++++++++++++++++++ 19 files changed, 548 insertions(+) create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml diff --git a/dataclients/kubernetes/routegroups_test.go b/dataclients/kubernetes/routegroups_test.go index c3149154b3..4963fd434e 100644 --- a/dataclients/kubernetes/routegroups_test.go +++ b/dataclients/kubernetes/routegroups_test.go @@ -57,3 +57,7 @@ func TestRouteGroupExternalName(t *testing.T) { func TestRouteGroupDefaultLoadBalancerAlgorithm(t *testing.T) { kubernetestest.FixturesToTest(t, "testdata/routegroups/loadbalancer-algorithm") } + +func TestRouteGroupTLS(t *testing.T) { + kubernetestest.FixturesToTest(t, "testdata/routegroups/tls") +} diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.log new file mode 100644 index 0000000000..2aadff77bd --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.log @@ -0,0 +1 @@ +level=error msg="Failed to generate TLS certificate from secret: secret must contain tls.crt and tls.key in data field" kind=RouteGroup name=myapp ns=default diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml new file mode 100644 index 0000000000..21b46c15e2 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml @@ -0,0 +1,88 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - example.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: Opaque +data: + foo: bar diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.log new file mode 100644 index 0000000000..30cf64406c --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.log @@ -0,0 +1 @@ +level=error msg="Failed to generate TLS certificate from secret: failed to decode tls.crt from secret myapp-secret" kind=RouteGroup name=myapp ns=default diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml new file mode 100644 index 0000000000..4714b6a1e9 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - example.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: thisisnotacert + tls.key: thisisnotakey diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log new file mode 100644 index 0000000000..bd57b17f2d --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log @@ -0,0 +1 @@ +level=info msg="No matching tls hosts found" kind=RouteGroup name=myapp ns=default diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml new file mode 100644 index 0000000000..a492896ddd --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml @@ -0,0 +1,91 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - foo.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.log new file mode 100644 index 0000000000..7cbf84aed7 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.log @@ -0,0 +1 @@ +level=error msg="Failed to find secret myapp-secret in namespace default" kind=RouteGroup name=myapp ns=default diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml new file mode 100644 index 0000000000..53c2600bc1 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - example.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log new file mode 100644 index 0000000000..d1b4cd0877 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log @@ -0,0 +1,2 @@ +level=info msg="adding certificate to registry - foo.org" +level=info msg="adding certificate to registry - example.org" \ No newline at end of file diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml new file mode 100644 index 0000000000..91fd8b4735 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + - foo.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - example.org + - foo.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log new file mode 100644 index 0000000000..b9691ef678 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log @@ -0,0 +1 @@ +level=info msg="adding certificate to registry - example.org" \ No newline at end of file diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml new file mode 100644 index 0000000000..b87648c9a0 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml @@ -0,0 +1,91 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - example.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= From c71636b774b47413ff6117ed6f377c3fe93d90d5 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 13:42:30 +0000 Subject: [PATCH 02/23] Add TLS spec for RouteGroups Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/definitions/routegroups.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/dataclients/kubernetes/definitions/routegroups.go b/dataclients/kubernetes/definitions/routegroups.go index 922d363149..7ea8bd670a 100644 --- a/dataclients/kubernetes/definitions/routegroups.go +++ b/dataclients/kubernetes/definitions/routegroups.go @@ -59,6 +59,10 @@ type RouteGroupSpec struct { // Routes specifies the list of route based on path, method // and predicates. Routes []*RouteSpec `json:"routes,omitempty"` + + // TLS specifies the list of Kubernetes TLS secrets to + // be used to terminate the TLS connection + TLS []*RouteTLSSpec `json:"tls,omitempty"` } // SkipperBackend is the type safe version of skipperBackendParser @@ -155,6 +159,16 @@ type RouteSpec struct { Methods []string `json:"methods,omitempty"` } +type RouteTLSSpec struct { + // Hosts specifies the list of hosts included in the + // TLS certificate + Hosts []string `json:"hosts,omitempty"` + + // SecretName specifies the Kubernetes TLS secret to be + // used to terminate the TLS SNI connection + SecretName string `json:"secretName,omitempty"` +} + func backendsWithDuplicateName(name string) error { return fmt.Errorf("backends with duplicate name: %s", name) } From c358be501b89348a923a0887029a6eefaced1af0 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 13:43:40 +0000 Subject: [PATCH 03/23] Load TLS certs to registry from RouteGroup TLS definition Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/kube.go | 2 +- dataclients/kubernetes/routegroup.go | 50 +++++++++++++++++++++++++++- 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/kube.go b/dataclients/kubernetes/kube.go index 5ca47e3e66..52b8d02bc1 100644 --- a/dataclients/kubernetes/kube.go +++ b/dataclients/kubernetes/kube.go @@ -422,7 +422,7 @@ func (c *Client) loadAndConvert() ([]*eskip.Route, error) { return nil, err } - rg, err := c.routeGroups.convert(state, defaultFilters, loggingEnabled) + rg, err := c.routeGroups.convert(state, defaultFilters, loggingEnabled, c.ClusterClient.certificateRegistry) if err != nil { return nil, err } diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index e2632e38c7..b2257d17ba 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -8,6 +8,7 @@ import ( "github.com/zalando/skipper/dataclients/kubernetes/definitions" "github.com/zalando/skipper/eskip" "github.com/zalando/skipper/loadbalancer" + "github.com/zalando/skipper/secrets/certregistry" ) const backendNameTracingTagName = "skipper.backend_name" @@ -39,6 +40,7 @@ type routeGroupContext struct { provideHTTPSRedirect bool calculateTraffic func([]*definitions.BackendReference) map[string]backendTraffic defaultLoadBalancerAlgorithm string + certificateRegistry *certregistry.CertRegistry } type routeContext struct { @@ -478,7 +480,39 @@ func splitHosts(hosts []string, domains []string) ([]string, []string) { return internalHosts, externalHosts } -func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled bool) ([]*eskip.Route, error) { +// addRouteGroupHostTLSCert adds a TLS certificate to the certificate registry per host when the referenced +// secret is found and is a valid TLS secret. +func addRouteGroupHostTLSCert(ctx *routeGroupContext, hosts []string, secretID *definitions.ResourceID) { + secret, ok := ctx.state.secrets[*secretID] + if !ok { + ctx.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) + return + } + cert, err := generateTLSCertFromSecret(secret) + if err != nil { + ctx.logger.Errorf("Failed to generate TLS certificate from secret: %v", err) + return + } + for _, host := range hosts { + err := ctx.certificateRegistry.ConfigureCertificate(host, cert) + if err != nil { + ctx.logger.Errorf("Failed to configure certificate: %v", err) + } + } +} + +func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) { + hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) + if len(hostlist) == 0 { + ctx.logger.Infof("No matching tls hosts found") + return + } + + secretID := &definitions.ResourceID{Name: tls.SecretName, Namespace: ctx.routeGroup.Metadata.Namespace} + addRouteGroupHostTLSCert(ctx, hostlist, secretID) +} + +func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled bool, cr *certregistry.CertRegistry) ([]*eskip.Route, error) { var rs []*eskip.Route redirect := createRedirectInfo(r.options.ProvideHTTPSRedirect, r.options.HTTPSRedirectCode) @@ -530,6 +564,7 @@ func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled allowedExternalNames: r.options.AllowedExternalNames, calculateTraffic: getBackendTrafficCalculator[*definitions.BackendReference](r.options.BackendTrafficAlgorithm), defaultLoadBalancerAlgorithm: r.options.DefaultLoadBalancerAlgorithm, + certificateRegistry: cr, } ri, err := transformRouteGroup(ctx) @@ -546,6 +581,12 @@ func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled ri = append(ri, catchAll...) } + if ctx.certificateRegistry != nil { + for _, ctxTls := range rg.Spec.TLS { + r.addRouteGroupTLS(ctx, ctxTls) + } + } + rs = append(rs, ri...) } @@ -565,6 +606,7 @@ func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled allowedExternalNames: r.options.AllowedExternalNames, calculateTraffic: getBackendTrafficCalculator[*definitions.BackendReference](r.options.BackendTrafficAlgorithm), defaultLoadBalancerAlgorithm: r.options.DefaultLoadBalancerAlgorithm, + certificateRegistry: cr, } internalRi, err := transformRouteGroup(internalCtx) @@ -584,6 +626,12 @@ func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled applyEastWestRangePredicates(internalRi, r.options.KubernetesEastWestRangePredicates) + if internalCtx.certificateRegistry != nil { + for _, ctxTls := range rg.Spec.TLS { + r.addRouteGroupTLS(internalCtx, ctxTls) + } + } + rs = append(rs, internalRi...) } } From 4553fe7b8322050412ffabbe86598aa2ddae9557 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 13:48:55 +0000 Subject: [PATCH 04/23] Add description to addRouteGroupTLS function Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/routegroup.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index b2257d17ba..0e95fce322 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -501,6 +501,8 @@ func addRouteGroupHostTLSCert(ctx *routeGroupContext, hosts []string, secretID * } } +// addRouteGroupTLS compares the RouteGroup host list and the RouteGroup.TLS host list +// and adds the TLS secret to the registry if a match is found. func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) { hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) if len(hostlist) == 0 { From 5c5bca575ffd4323091287bf098463cc9c06363e Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 14:00:31 +0000 Subject: [PATCH 05/23] Refactor using function to add TLS cert to registry Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingress.go | 21 ------------------- dataclients/kubernetes/ingressv1.go | 7 ++++++- dataclients/kubernetes/kube.go | 16 ++++++++++++++ dataclients/kubernetes/routegroup.go | 31 ++++++++-------------------- 4 files changed, 31 insertions(+), 44 deletions(-) diff --git a/dataclients/kubernetes/ingress.go b/dataclients/kubernetes/ingress.go index be7afcf3d6..171648e3f9 100644 --- a/dataclients/kubernetes/ingress.go +++ b/dataclients/kubernetes/ingress.go @@ -337,27 +337,6 @@ func hasCatchAllRoutes(routes []*eskip.Route) bool { return false } -// addHostTLSCert adds a TLS certificate to the certificate registry per host when the referenced -// secret is found and is a valid TLS secret. -func addHostTLSCert(ic *ingressContext, hosts []string, secretID *definitions.ResourceID) { - secret, ok := ic.state.secrets[*secretID] - if !ok { - ic.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) - return - } - cert, err := generateTLSCertFromSecret(secret) - if err != nil { - ic.logger.Errorf("Failed to generate TLS certificate from secret: %v", err) - return - } - for _, host := range hosts { - err := ic.certificateRegistry.ConfigureCertificate(host, cert) - if err != nil { - ic.logger.Errorf("Failed to configure certificate: %v", err) - } - } -} - // convert logs if an invalid found, but proceeds with the valid ones. // Reporting failures in Ingress status is not possible, because // Ingress status field only supports IP and Hostname as string. diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 7f7c702356..874a5f7f3a 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -301,7 +301,12 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. } // Secrets should always reside in same namespace as the Ingress secretID := &definitions.ResourceID{Name: ingtls.SecretName, Namespace: ic.ingressV1.Metadata.Namespace} - addHostTLSCert(ic, hostlist, secretID) + secret, ok := ic.state.secrets[*secretID] + if !ok { + ic.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) + return + } + addTLSCertToRegistry(*ic.certificateRegistry, ic.logger, hostlist, secret) } // converts the default backend if any diff --git a/dataclients/kubernetes/kube.go b/dataclients/kubernetes/kube.go index 52b8d02bc1..aef70eeafe 100644 --- a/dataclients/kubernetes/kube.go +++ b/dataclients/kubernetes/kube.go @@ -595,3 +595,19 @@ func compareStringList(a, b []string) []string { } return c } + +// addRouteGroupHostTLSCert adds a TLS certificate to the certificate registry per host when the referenced +// secret is found and is a valid TLS secret. +func addTLSCertToRegistry(cr certregistry.CertRegistry, logger *logger, hosts []string, secret *secret) { + cert, err := generateTLSCertFromSecret(secret) + if err != nil { + logger.Errorf("Failed to generate TLS certificate from secret: %v", err) + return + } + for _, host := range hosts { + err := cr.ConfigureCertificate(host, cert) + if err != nil { + logger.Errorf("Failed to configure certificate: %v", err) + } + } +} diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 0e95fce322..3ad570fd7f 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -480,38 +480,25 @@ func splitHosts(hosts []string, domains []string) ([]string, []string) { return internalHosts, externalHosts } -// addRouteGroupHostTLSCert adds a TLS certificate to the certificate registry per host when the referenced -// secret is found and is a valid TLS secret. -func addRouteGroupHostTLSCert(ctx *routeGroupContext, hosts []string, secretID *definitions.ResourceID) { - secret, ok := ctx.state.secrets[*secretID] - if !ok { - ctx.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) - return - } - cert, err := generateTLSCertFromSecret(secret) - if err != nil { - ctx.logger.Errorf("Failed to generate TLS certificate from secret: %v", err) - return - } - for _, host := range hosts { - err := ctx.certificateRegistry.ConfigureCertificate(host, cert) - if err != nil { - ctx.logger.Errorf("Failed to configure certificate: %v", err) - } - } -} - // addRouteGroupTLS compares the RouteGroup host list and the RouteGroup.TLS host list // and adds the TLS secret to the registry if a match is found. func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) { + // Host in the tls section need to explicitly match the host in the RouteGroup hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) if len(hostlist) == 0 { ctx.logger.Infof("No matching tls hosts found") return } + // Secrets should always reside in the same namespace as the RouteGroup secretID := &definitions.ResourceID{Name: tls.SecretName, Namespace: ctx.routeGroup.Metadata.Namespace} - addRouteGroupHostTLSCert(ctx, hostlist, secretID) + secret, ok := ctx.state.secrets[*secretID] + if !ok { + ctx.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) + return + } + addTLSCertToRegistry(*ctx.certificateRegistry, ctx.logger, hostlist, secret) + } func (r *routeGroups) convert(s *clusterState, df defaultFilters, loggingEnabled bool, cr *certregistry.CertRegistry) ([]*eskip.Route, error) { From 5e996920a53886e61c87fd799bac8cda077a6b1a Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 15:21:35 +0000 Subject: [PATCH 06/23] add fixtures for when no tls secret is defined Signed-off-by: Ricardo Herrera --- .../testdata/ingressV1/tls/tls-no-secret.kube | 1 + .../testdata/ingressV1/tls/tls-no-secret.yaml | 91 +++++++++++++++++++ .../routegroups/tls/tls-no-secret.kube | 1 + .../routegroups/tls/tls-no-secret.yaml | 90 ++++++++++++++++++ 4 files changed, 183 insertions(+) create mode 100644 dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.kube create mode 100644 dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.kube b/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml new file mode 100644 index 0000000000..bc10d61069 --- /dev/null +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml @@ -0,0 +1,91 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + labels: + app: myapp + name: myapp-ingress + namespace: default +spec: + tls: + - hosts: + - example.org + rules: + - host: example.org + http: + paths: + - backend: + service: + name: myapp-service + port: + number: 8080 + pathType: ImplementationSpecific +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml new file mode 100644 index 0000000000..0e41c798c8 --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml @@ -0,0 +1,90 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - example.org +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= From 99ac3bfd3b24c0fe4144ac70fe662506013aafb2 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 15:27:23 +0000 Subject: [PATCH 07/23] Skip adding cert to registry when no secret is defined TLS secrets is optional in the IngressV1 spec, using similar config for RouteGroups. Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 7 +++++++ dataclients/kubernetes/routegroup.go | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 874a5f7f3a..ee290db42a 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -299,6 +299,13 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. ic.logger.Infof("No matching tls hosts found") return } + + // Skip adding certs to registry since if certs defined + if ingtls.SecretName == "" { + ic.logger.Infof("No tls secret defined for hosts - %s", ingtls.Hosts) + return + } + // Secrets should always reside in same namespace as the Ingress secretID := &definitions.ResourceID{Name: ingtls.SecretName, Namespace: ic.ingressV1.Metadata.Namespace} secret, ok := ic.state.secrets[*secretID] diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 3ad570fd7f..21776611f7 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -490,6 +490,12 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. return } + // Skip adding certs to registry since no certs defined + if tls.SecretName == "" { + ctx.logger.Infof("No tls secret defined for hosts - %s", tls.Hosts) + return + } + // Secrets should always reside in the same namespace as the RouteGroup secretID := &definitions.ResourceID{Name: tls.SecretName, Namespace: ctx.routeGroup.Metadata.Namespace} secret, ok := ctx.state.secrets[*secretID] From 4aca418d2fdf48f571c918a6f3b1e5e285ebda12 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 1 Jan 2024 19:09:31 +0000 Subject: [PATCH 08/23] Update RouteGroup CRD with TLS spec Signed-off-by: Ricardo Herrera --- .../deploy/apply/routegroups_crd.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml b/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml index 0e68d2f774..67cb2aafb3 100644 --- a/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml +++ b/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml @@ -216,6 +216,27 @@ spec: type: object minItems: 1 type: array + tls: + description: TLS defines which Kubernetes secret will be used to terminate + the connection based on the matching hostnames + items: + properties: + hosts: + description: Host specifies the list of hosts included in the + TLS secret. The values in this list must match the name/s + used in the tlsSecret. + items: + pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?([.][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + type: string + minItems: 1 + type: array + secretName: + description: SecretName is the name of the secret used to terminate + TLS traffic on port 443. Field is left optional to allow TLS + routing based on SNI hostname alone. + type: string + type: object + type: array required: - backends type: object From f175dd09bf53c3cddb0858100569e8bc61be1a89 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Tue, 2 Jan 2024 07:25:21 -0500 Subject: [PATCH 09/23] Fix comments for new functions and typos Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 2 +- dataclients/kubernetes/kube.go | 4 ++-- dataclients/kubernetes/routegroup.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index ee290db42a..64df52fcb8 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -300,7 +300,7 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. return } - // Skip adding certs to registry since if certs defined + // Skip adding certs to registry since no certs defined if ingtls.SecretName == "" { ic.logger.Infof("No tls secret defined for hosts - %s", ingtls.Hosts) return diff --git a/dataclients/kubernetes/kube.go b/dataclients/kubernetes/kube.go index aef70eeafe..a8736f72c3 100644 --- a/dataclients/kubernetes/kube.go +++ b/dataclients/kubernetes/kube.go @@ -596,8 +596,8 @@ func compareStringList(a, b []string) []string { return c } -// addRouteGroupHostTLSCert adds a TLS certificate to the certificate registry per host when the referenced -// secret is found and is a valid TLS secret. +// addTLSCertToRegistry adds a TLS certificate to the certificate registry per host using the provided +// Kubernetes TLS secret func addTLSCertToRegistry(cr certregistry.CertRegistry, logger *logger, hosts []string, secret *secret) { cert, err := generateTLSCertFromSecret(secret) if err != nil { diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 21776611f7..92d7512535 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -480,7 +480,7 @@ func splitHosts(hosts []string, domains []string) ([]string, []string) { return internalHosts, externalHosts } -// addRouteGroupTLS compares the RouteGroup host list and the RouteGroup.TLS host list +// addRouteGroupTLS compares the RouteGroup host list and the RouteGroup TLS host list // and adds the TLS secret to the registry if a match is found. func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) { // Host in the tls section need to explicitly match the host in the RouteGroup From bccbca3ab57f43c089baaeabf0e250086e59ebd4 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 10:18:45 +0000 Subject: [PATCH 10/23] Use plain value instead of pointer for secretID Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 4 ++-- dataclients/kubernetes/routegroup.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 64df52fcb8..7221005938 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -307,8 +307,8 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. } // Secrets should always reside in same namespace as the Ingress - secretID := &definitions.ResourceID{Name: ingtls.SecretName, Namespace: ic.ingressV1.Metadata.Namespace} - secret, ok := ic.state.secrets[*secretID] + secretID := definitions.ResourceID{Name: ingtls.SecretName, Namespace: ic.ingressV1.Metadata.Namespace} + secret, ok := ic.state.secrets[secretID] if !ok { ic.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) return diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 92d7512535..2125d8904c 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -497,8 +497,8 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. } // Secrets should always reside in the same namespace as the RouteGroup - secretID := &definitions.ResourceID{Name: tls.SecretName, Namespace: ctx.routeGroup.Metadata.Namespace} - secret, ok := ctx.state.secrets[*secretID] + secretID := definitions.ResourceID{Name: tls.SecretName, Namespace: ctx.routeGroup.Metadata.Namespace} + secret, ok := ctx.state.secrets[secretID] if !ok { ctx.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) return From 2b529a3a58af6b7e8b3d48bdc94f7978d2510659 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 10:21:00 +0000 Subject: [PATCH 11/23] Use Debug log level when no secrets defined in TLS Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 2 +- dataclients/kubernetes/routegroup.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 7221005938..7a1b6dd0bb 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -302,7 +302,7 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. // Skip adding certs to registry since no certs defined if ingtls.SecretName == "" { - ic.logger.Infof("No tls secret defined for hosts - %s", ingtls.Hosts) + ic.logger.Debugf("No tls secret defined for hosts - %s", ingtls.Hosts) return } diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 2125d8904c..8c1ac15ae5 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -492,7 +492,7 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. // Skip adding certs to registry since no certs defined if tls.SecretName == "" { - ctx.logger.Infof("No tls secret defined for hosts - %s", tls.Hosts) + ctx.logger.Debugf("No tls secret defined for hosts - %s", tls.Hosts) return } From ded3e167f7741d339e34b1301e786f295396dc99 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 10:27:11 +0000 Subject: [PATCH 12/23] Log hosts in tls and hosts in route or ingress when no match Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 2 +- dataclients/kubernetes/routegroup.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 7a1b6dd0bb..91faca3730 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -296,7 +296,7 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. // Hosts in the tls section need to explicitly match the host in the rules section. hostlist := compareStringList(ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) if len(hostlist) == 0 { - ic.logger.Infof("No matching tls hosts found") + ic.logger.Infof("No matching tls hosts found - tls hosts: %s, ingress hosts: %s", ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) return } diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 8c1ac15ae5..1f9fb311e0 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -486,7 +486,7 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. // Host in the tls section need to explicitly match the host in the RouteGroup hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) if len(hostlist) == 0 { - ctx.logger.Infof("No matching tls hosts found") + ctx.logger.Infof("No matching tls hosts found - tls hosts: %s, routegroup hosts: %s", tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) return } From 04e80619ea4a3b7eed95b6da3375c35ec741f620 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 10:47:21 +0000 Subject: [PATCH 13/23] Add logging for non matching tls and ingress/routegroup Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 2 ++ dataclients/kubernetes/routegroup.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 91faca3730..8b7bcd1129 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -298,6 +298,8 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. if len(hostlist) == 0 { ic.logger.Infof("No matching tls hosts found - tls hosts: %s, ingress hosts: %s", ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) return + } else if len(hostlist) != len(ingtls.Hosts) { + ic.logger.Infof("Hosts in TLS and Ingress don't match: tls hosts: %s, ingress hosts: %s", ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) } // Skip adding certs to registry since no certs defined diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 1f9fb311e0..35951ca148 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -488,6 +488,8 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. if len(hostlist) == 0 { ctx.logger.Infof("No matching tls hosts found - tls hosts: %s, routegroup hosts: %s", tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) return + } else if len(hostlist) != len(tls.Hosts) { + ctx.logger.Infof("Hosts in TLS and RouteGroup don't match: tls hosts: %s, routegroup hosts: %s", tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) } // Skip adding certs to registry since no certs defined From 0daaddf346911c06d22ec623f737f59e47f187c0 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 10:49:21 +0000 Subject: [PATCH 14/23] Remove unneeded deployment definition from tests Signed-off-by: Ricardo Herrera --- .../routegroups/tls/tls-invalid-secret.yaml | 24 ------------------- .../routegroups/tls/tls-invalid-tls.yaml | 24 ------------------- .../routegroups/tls/tls-missing-host.yaml | 24 ------------------- .../routegroups/tls/tls-missing-secret.yaml | 24 ------------------- .../routegroups/tls/tls-multiple-host.yaml | 24 ------------------- .../routegroups/tls/tls-no-secret.yaml | 24 ------------------- .../routegroups/tls/tls-single-host.yaml | 24 ------------------- 7 files changed, 168 deletions(-) diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml index 21b46c15e2..42aaf6544e 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-secret.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml index 4714b6a1e9..5879744fe6 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-invalid-tls.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml index a492896ddd..6a134aa6ae 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml index 53c2600bc1..9f3f8fa90e 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-secret.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml index 91fd8b4735..ced89deb7a 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml index 0e41c798c8..5ac4115c55 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-no-secret.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml index b87648c9a0..274ab5f111 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: From 73aac011db39aa56561e9be6bfe6a87a0791fab2 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 12:09:56 +0000 Subject: [PATCH 15/23] Update fixture tests with log checks Signed-off-by: Ricardo Herrera --- .../ingressV1/tls/tls-host-mismatch.kube | 1 + .../ingressV1/tls/tls-host-mismatch.log | 2 + .../ingressV1/tls/tls-host-mismatch.yaml | 93 +++++++++++++++++++ .../ingressV1/tls/tls-missing-host.log | 2 +- .../routegroups/tls/tls-host-mismatch.kube | 1 + .../routegroups/tls/tls-host-mismatch.log | 2 + .../routegroups/tls/tls-host-mismatch.yaml | 68 ++++++++++++++ .../routegroups/tls/tls-missing-host.log | 2 +- 8 files changed, 169 insertions(+), 2 deletions(-) create mode 100644 dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.kube create mode 100644 dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log create mode 100644 dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.kube create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log create mode 100644 dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.yaml diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.kube b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log new file mode 100644 index 0000000000..d4740af7ef --- /dev/null +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log @@ -0,0 +1,2 @@ +level=info msg="Hosts in TLS and Ingress don't match: tls hosts: \[example.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default +level=info msg="adding certificate to registry - example.org" \ No newline at end of file diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml new file mode 100644 index 0000000000..e5ba07a022 --- /dev/null +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp-deployment + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: myapp + image: myapp:v1 + ports: + - containerPort: 80 + name: my-port + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + labels: + app: myapp + name: myapp-ingress + namespace: default +spec: + tls: + - secretName: myapp-secret + hosts: + - example.org + - bar.org + rules: + - host: example.org + http: + paths: + - backend: + service: + name: myapp-service + port: + number: 8080 + pathType: ImplementationSpecific +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log index 7dfbfd0fae..29b7356fde 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log @@ -1 +1 @@ -level=info msg="No matching tls hosts found" kind=Ingress name=myapp-ingress ns=default +level=info msg="No matching tls hosts found - tls hosts: \[foo.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default \ No newline at end of file diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.kube b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.kube new file mode 100644 index 0000000000..169ce65a8b --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.kube @@ -0,0 +1 @@ +kubernetes-enable-tls: true diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log new file mode 100644 index 0000000000..16fb6327db --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log @@ -0,0 +1,2 @@ +level=info msg="Hosts in TLS and RouteGroup don't match: tls hosts: \[bar.org example.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default +level=info msg="adding certificate to registry - example.org" \ No newline at end of file diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.yaml b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.yaml new file mode 100644 index 0000000000..bc07f4654a --- /dev/null +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: myapp-deployment + name: myapp-service +spec: + clusterIP: 10.3.190.1 + ports: + - name: this-is-my-service-port-name + port: 8080 + protocol: TCP + targetPort: my-port + selector: + app: myapp + type: ClusterIP +--- +apiVersion: zalando.org/v1 +kind: RouteGroup +metadata: + name: myapp + namespace: default +spec: + hosts: + - example.org + backends: + - name: myapp + type: service + serviceName: myapp-service + servicePort: 8080 + routes: + - pathSubtree: / + backends: + - backendName: myapp + tls: + - hosts: + - bar.org + - example.org + secretName: myapp-secret +--- +apiVersion: v1 +kind: Endpoints +metadata: + labels: + app: myapp-deployment + name: myapp-service +subsets: + - addresses: + - ip: 10.3.0.3 + targetRef: + kind: Pod + name: myapp-deployment-6786bf95fd-fnqnq + ports: + - name: this-is-my-service-port-name + port: 80 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: myapp-secret + namespace: default +type: kubernetes.io/tls +data: + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVZm9WZWI1Y3Y2alZlOC9ZQWFVaGVJejJCSXBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBek1UQXlNREU0TURSYUZ3MHlNekF6Ck1UQXlNREU0TURSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRE10ZGpVUUhzUGJDamNQMjJORmpKN3NzOXJYOVEydmloVVpLN2cvbGF4Cm1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbGI1Q25USEZMbG52eFd6N1pKN0hWYzAzTnZhWEUKUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KdTlNaVdUeVVsY2xWNHVocmZERGZUK1hUcHNrVgpLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2Z4aGpIN3R6SWZwbXFTWGJ2RGxkOWNacUJGbEtHCjBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WHpuV3VqYzNQYVNnQkdCSmowVFlsN1Z6SExzM2sKL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUaS9nM3dNVzgyR0NJVW52OW13Z3F5TFJoSHBscgpiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlRTcnBNUkZsSjdVWTlzTEMwenRwVGtMTjlvMnZpCmxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOXdhcVN3REQ0MHJtS1c3VTE0TlVhcTVIYlVISTYKMmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRQS9RMkh1ZWo5TTU5YWlaT0lDVnhmQmJUbUNIeApyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFZwM0RucVkycmFNeUFJMFBJNGVNVFlmc2tRWVFkCjlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrS2IxTjBwR2l1NXVNRVFKaHd4S3N6T0JGWGtyRG8KQndJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdId1lEVlIwagpCQmd3Rm9BVUVXTTh0WjRsVng0MlFMeE8xSE03dGRCZUMvOHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBd3UwN2doaHRyUkNMZ0JuNENHbE5vVkxLRkx2SjQ3T21GUUc1eVp5MTEvdzkKaC9oblJMeDVCbk8wb1lZMmw4M0Z3OUozUWVIaThDTk84Ujc4NTRmRk56WGMxSEFZa1RWc1VZbE9wOW4wTTYwSgpKb3MyUFA5TldNTUpCcFg3Q3JQYUZRRjJoU09hb1NqaXZ1dVoxRnQrZVZEY3FWMjM0VFkrK25hYzBRc053RTYrCnpMai91TGFEM0xWUXh6Y2RuNWMrYVpSNjV0K3I0Q0RsWW1MMGVJY2RTeXF5UUtUWDlMaE1lVXQ3RUxJdEpnVkgKZDdSaDRuRU8rRDVhVEszNkZNSk9TM0VUL0Y1RksrT2QzVmgwMW9RTTJwR0dqQ3A3d2dMeWxNNTVaMWhsTnVXMQo4YWp2eHJDNWVVd2RkaTA4WWFBQjlpR1VRLzRmeUFmQkNkNjJZVVRXSUhib1NMKy84MEpySFZIQnhTaWZ0NmRFClI0SVBtbmtoakovOFcvK1g1WThvOFdrVUF3Zm00QWpOL3ZOZGUxWm1NSVFsSEZhQVRuWUJEaXBaOElSUnBndFEKcnc4d044U0NOV0plZHppdlVoYjdXdUdHbndCcDZ1Wjg1TDUzblN3SFBBS2Y3eGNhTXROVnpuZ1VJaXU1bm9PNwpZSFFzcG1xRVhQQzQ4NERmMHhTUWllUUhTWGxPUVFXS285QTQ5ZXM1NnV2ZGw0c0pTbW9uUTZMblgzV21sUGFGCmdxQSs2ZXZHanVqQmppaTBybncvUWpxY3NteHNtWU84alpGY21pZWpJL3AxUE1OalBpRWJjZGhrNFNrdDlxdnkKcDhvTXVLVzFLNHFpRUp0R1VOT3hkUEt2b1V1MWllQUtuY0FtdUhxdWNHWDBva2JrdmZjT0tYQjFoRi9kK1gwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE10ZGpVUUhzUGJDamMKUDIyTkZqSjdzczlyWDlRMnZpaFVaSzdnL2xheG1hMnpmelV6QitKUUNhdTlFZkRQUVpqVC91NWVGL29vaUtqbApiNUNuVEhGTGxudnhXejdaSjdIVmMwM052YVhFUk54VmdPMXNCbkxSME9URTZRampBYW9lU29RSnFDMEI2em5KCnU5TWlXVHlVbGNsVjR1aHJmRERmVCtYVHBza1ZLV2pnMG9ORCtFN01zMTlsRTRwMVYrV0dPWVRub0E1a3pvS2YKeGhqSDd0eklmcG1xU1hidkRsZDljWnFCRmxLRzBGeWFxK2pUS1lkRWtRL2xQekxJQWtaWW5NVVJDcklJYkZ3WAp6bld1amMzUGFTZ0JHQkpqMFRZbDdWekhMczNrL2dCdzd4N1FZZk41SGFZckhYN0FqMlQ4b2Z2a2xhcUxDRDFUCmkvZzN3TVc4MkdDSVVudjltd2dxeUxSaEhwbHJiUmV0a3BSU0JueDlOMWtac2VkaFVoR2FuS3I5MVhrajBySlQKU3JwTVJGbEo3VVk5c0xDMHp0cFRrTE45bzJ2aWxrVFd0S3dKTzZXTzBsOTNDSitsWXhUcndNU3RLT0JDN2tVOQp3YXFTd0RENDBybUtXN1UxNE5VYXE1SGJVSEk2MmY3UzBxVlRhb255VUN6OUVhVmJLaTV0SDFuVkJ1SWwzUDFRCkEvUTJIdWVqOU01OWFpWk9JQ1Z4ZkJiVG1DSHhyeG5pai83MWlDbTcrMWllNUxIMTI4Y2krNW1nRTQvditPZFYKcDNEbnFZMnJhTXlBSTBQSTRlTVRZZnNrUVlRZDlCRU8rVkI4ZGdtcnlSR2dPaHNSWFFieXFNOERYTXc4S1BrSwpiMU4wcEdpdTV1TUVRSmh3eEtzek9CRlhrckRvQndJREFRQUJBb0lDQVFDZ1M4enI5MG5sZTdaTE1NZWg4TDI3Ckt2dE1ndzl6aGxlaUxlemFkWTZCSjJ0aTRMdFJxRnpJZTZvbE5RVXg1Wlc4ZXlWQVBOcEFIekxSNWhpSlNFeDIKK2ZFM3YxRnBUYkh0Q0lybURoamRwV1k2OWVmejdPQy85eWtNSDhZN3E3UUFZQzBnT3JaemlEUUtDYTk4ZUEvOQo4WVJrWW5mSW9zaktOSkFzdWE4L2lOdDlJSnAxQU4wRFlYblRkZ2UzZHdwZG5uQzV4eFUrVG83dWVYb3lKSkp4CjFPQ1MvVS9LUlpxd3VlSllMcGlVeEZlZkxmbjBUOUtDR0cwdi85ck56eW95ZlIrN0JucitLWXU3Z0ltYUU2UVQKUTY1MW5OblptNXNnKzhyb2xYZllWaVVXU2NnQk9KSWtSdGsxYmJVeEo1ZldVeWtoaHlpeUVkT2p0amk1djVPVgpzN0o5V1dzcW9qYUdacG8vTUc0VllsRzA4N0VYR1c3ZUt2U2JWL1VCTHEzcEZtUEVYUjFGVUZyL0xFT2M0MmZnCmEvOGgyQ2M2N2p6Z1EzbHpFY0VzSzZJMnZud3FESzlXR1hBd2hXZG9zUG1QVzFKQ2JOMkhXcUxHTHdJTnZCbG0KcnJQUjFQN1Rhc2ZHZE1jaER4QVdKUkJXblNUdzJyZUo0YVp5dlk5Tk1hdHdodHBvQnJrR3pGVjNYZEV6SEZxVwpjaHJDdnZKSURQdzBqaUN2akdSdnRLYWZ2WWJ5dktvaFNTQTNpMjhtYlB1TzBuSEdacEJ6OEZMTzA3d0Fmd1ZyCkdWWWNxSGdVRk5BYUp1Qld4WndMR0NGeU9sWUJadVNRL0ZONjJZQ091Vm1SRVpTWmtqekFuczhqNVBBdnBSUFgKVFJsM3dxakdrV3BlSHg3clM1OXdVUUtDQVFFQTdsZk5NdFc3b1dvNC90b0dvaE1LK3RXOWphN3JPd08wZ0VNdQo5OGV6WitOakJsRGdoOVRkTk1JMFZqekNZeGxIQUM0MnZxcHZ1TG1rSk40Rm8xY0lDaVFjS01FYitxOGRMUzFZClhXRlRKdFdMY1poUXFUampCNWlRZ1QvZFpBS3dHT3ZSQlVuRi9id0VKeEhTLzZBYk1YaWs4bVlpWWNZZkI3bTUKMkZBcUZHUmdhQjJOMXBiMmduU3hDRW12UjhHbk1Bam9MY2x3S0FHYUtwMVFmK1hCL25wVlpFVXpRL3hxSkZrWgppa21YUDZ5ekpZbXF6UnRGVHhTZDVqQ3hVMTBDMDVSREEraFUydTd0VGU4SW5sTmtpYWhud0xLOHlBUkg0Z201CjlXRmZ0KzBCQ1BDVkFHTk00NjdmcEt5VmwzODdsdG5pSkF0RG1oYXJ6Z2dNeVBidXN3S0NBUUVBMitBeStsVTIKMkFURHN2Wmp6OEc0alI3RnN4MUhYK1pmbTdtTVhKajVYMWhVekduRHZzcngwSE16Z0Zxbk9pYTlrNXpBaFhNSQpwZnl5RitPR0RVb3c3eXJzWGtTeWZDWTYyUVBSRkd2Z01qMUhoYUUwQzlkSWVXZmNlOTVlUUFVZ0FsVjlDRkQrCjlaYmtUMzZPZy9VTUVWU0dkdUhFVVFiRW52Qnp2Zm9UOVJkcEQ3eWd2Sk03T0RFR1A2Z1djNkVXOUcrWXpJNG8Ka2k4SEVRbDJRa1N2cTJkVVBjSzNoZVFvbHJCWERUWk9QeS8vaG1jbkpnbEMvUW1nSUdyWHhQN0F3TjkrU2hYSAo4d1RMcVd1cll1eWpQdkkraXlLR0tHaTk2NmhwNW5JVDdjcllFOStJWlpQQWJrbFRXUVg0SGNrYzhtMTFMZkJQCjAxT2NZMit4clp1TFhRS0NBUUVBcEIzVFR3aTdQVWVPWFhZMWtRNTV4Z1M5bER6NC90YnJTRko2bWVWcDFNUlAKWUg3NlRLMjNiK2UxOEJmQVprcDJpRnBLR2ZuMEdnZkNUaHlQVjB6TFhXaEY5NDRaUFFHdG5ua1YycDcwaWM0TApTYm51K01jU0ZSM3Bpd1kxNVBLdzNVZ3IwbTlkSlAxOUFvWVVleTU4NnhDK3k2YW1VQnNETE9lblg1cTdqdlViCktUWUlmOVhOZ2tEbDBlWWpDczcrMTJXYXNrUjl0UjU5VUpDb2FKa0Zmcnd2NW01OEFYbGlnUXJWT2xLNEVnRlMKRGl3QWIyRXkxV1JGNGNadnBBNXNydEh0WDFod2JaeU56TmNtWVJiZEtLak1ZSFR5NXV1RHI5S3d1SlZIT3JlNAp1YlluYzIvczl1NW9VdFQvNEtTY25LQUZSbnAzSHpnekx4aDk3VGVUWHdLQ0FRRUF3TTBRaG5oUWRnMS9lUjhhCm1LTzY2MnZQV2VkVG5lRUpkeWkxenNDSThyVW03blBUcENxYTdma0djUWVNMmEzODBFSkVnd0JDMWlJR0hISnoKS3BZaTRLV1h6SFdhdU1oaEU4aUgvc3MxTlhpTWpiMjBRS25QTUQ0RmxVeUJBc3c3ckRCQVNobVQ1OUFmZFNGNQpZSFp3MVlWenZ5enJFMDNHL2NQRkNoSU9pL3l5TUkxcnVNKzF2dWttSEkyTTJtbW9Fa0VGRUdHYmE4djIrMVo3CnIxSkJaQ0JnT3lQUi80TDRvR0lTZzFCYVBvZ2RIVUs0amw3U3NjVk45djhaSXZGc0hmUWI3bVM1QnZ6dWhTb1gKaDlBT3VYUjdxVTlscW10bUZnMkFod1VET3FHQzViSStEU3dKTWV2MFBQekIrNFJOY0xyUVpLN3pvRkFSc3hQUApEbmQxTlFLQ0FRQXlJM0xCOUQxUlg1NkhEYmI4WTZobk1wM2xTTmU3aWxpNy8zMjNCczB2QTZ6R0hod2o4ajlnCjVHcEJSd2ZXdCszUkRvZlQrL1h3K1MxTmdUTVJxWkw3M3V3VjdIWnhaTkE4NU5TUDk2bG5EbmpXN3NzTFhtY0wKRFRNQy83UVBaOU1xYmt4SXNDV0wwaml2bSs0a0UrSStqWXlHdkx0a2hlU1NHOU5pOGM1SzlwdjF1Z3ZVOUpwSAo0QlRSblhCd2JOUnVMZ3JpcHJwZjJKS2dYQmlPWEFTZUVmbzMvSTRETjZISWxwUFdoRDkwb0MyaWhvU3JrL2lVCmFMSnVCUmhncDJBelFYMWlBMDcxczNJR3ZlUERnN1RYd2Y4ZDM2bFhnVWNTTEJ0N2FmVzNoOGordEVCZ1FQTEwKVk9seXgzYzVNdVpaZDhHWXBKNGUwUDFJYWJzN2ZwZEEKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log index bd57b17f2d..9f036d36df 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log @@ -1 +1 @@ -level=info msg="No matching tls hosts found" kind=RouteGroup name=myapp ns=default +level=info msg="No matching tls hosts found - tls hosts: \[foo.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default \ No newline at end of file From 090e10b41862a19cf45233e314cb1abb94fbf121 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 14:32:37 +0000 Subject: [PATCH 16/23] Remove all unused Deployments from Ingress fixtures Signed-off-by: Ricardo Herrera --- .../ingressV1/tls/tls-host-mismatch.yaml | 24 ------------------- .../ingressV1/tls/tls-invalid-secret.yaml | 24 ------------------- .../ingressV1/tls/tls-invalid-tls.yaml | 24 ------------------- .../ingressV1/tls/tls-missing-host.yaml | 24 ------------------- .../ingressV1/tls/tls-missing-secret.yaml | 24 ------------------- .../ingressV1/tls/tls-multiple-host.yaml | 24 ------------------- .../testdata/ingressV1/tls/tls-no-secret.yaml | 24 ------------------- .../ingressV1/tls/tls-single-host.yaml | 24 ------------------- 8 files changed, 192 deletions(-) diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml index e5ba07a022..b663662023 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-secret.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-secret.yaml index c18d535b7b..3de763d5f3 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-secret.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-secret.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-tls.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-tls.yaml index 68d3c859fc..b293d76195 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-tls.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-invalid-tls.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.yaml index 8e198369a5..592048e699 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-secret.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-secret.yaml index c27d9b5dc5..09cf3af827 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-secret.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-secret.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-multiple-host.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-multiple-host.yaml index eed9faf51c..60b3b54b1f 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-multiple-host.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-multiple-host.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml index bc10d61069..68df1e145f 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-no-secret.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-single-host.yaml b/dataclients/kubernetes/testdata/ingressV1/tls/tls-single-host.yaml index 4d862bd3b3..56a2747366 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-single-host.yaml +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-single-host.yaml @@ -1,27 +1,3 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: myapp-deployment - labels: - app: myapp -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: myapp - image: myapp:v1 - ports: - - containerPort: 80 - name: my-port - protocol: TCP ---- apiVersion: v1 kind: Service metadata: From 5795c512df4e096ef69de2c1ded45124480dc2e5 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Wed, 3 Jan 2024 15:58:34 +0000 Subject: [PATCH 17/23] Fix how cert registry is passed to addTLSCertToRegistry Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 2 +- dataclients/kubernetes/kube.go | 2 +- dataclients/kubernetes/routegroup.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 8b7bcd1129..02114605a5 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -315,7 +315,7 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. ic.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) return } - addTLSCertToRegistry(*ic.certificateRegistry, ic.logger, hostlist, secret) + addTLSCertToRegistry(ic.certificateRegistry, ic.logger, hostlist, secret) } // converts the default backend if any diff --git a/dataclients/kubernetes/kube.go b/dataclients/kubernetes/kube.go index a8736f72c3..3500c71de0 100644 --- a/dataclients/kubernetes/kube.go +++ b/dataclients/kubernetes/kube.go @@ -598,7 +598,7 @@ func compareStringList(a, b []string) []string { // addTLSCertToRegistry adds a TLS certificate to the certificate registry per host using the provided // Kubernetes TLS secret -func addTLSCertToRegistry(cr certregistry.CertRegistry, logger *logger, hosts []string, secret *secret) { +func addTLSCertToRegistry(cr *certregistry.CertRegistry, logger *logger, hosts []string, secret *secret) { cert, err := generateTLSCertFromSecret(secret) if err != nil { logger.Errorf("Failed to generate TLS certificate from secret: %v", err) diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 35951ca148..9572eeb268 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -505,7 +505,7 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. ctx.logger.Errorf("Failed to find secret %s in namespace %s", secretID.Name, secretID.Namespace) return } - addTLSCertToRegistry(*ctx.certificateRegistry, ctx.logger, hostlist, secret) + addTLSCertToRegistry(ctx.certificateRegistry, ctx.logger, hostlist, secret) } From 9bf60a0891d6c0d9097fa7a71cace803269e13b2 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Sat, 6 Jan 2024 15:50:05 -0500 Subject: [PATCH 18/23] Add missing newlines for ingress tls fixtures Signed-off-by: Ricardo Herrera --- .../kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log | 2 +- .../kubernetes/testdata/ingressV1/tls/tls-missing-host.log | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log index d4740af7ef..ea8d9ffab9 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log @@ -1,2 +1,2 @@ level=info msg="Hosts in TLS and Ingress don't match: tls hosts: \[example.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default -level=info msg="adding certificate to registry - example.org" \ No newline at end of file +level=info msg="adding certificate to registry - example.org" diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log index 29b7356fde..af05c98469 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log @@ -1 +1 @@ -level=info msg="No matching tls hosts found - tls hosts: \[foo.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default \ No newline at end of file +level=info msg="No matching tls hosts found - tls hosts: \[foo.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default From 31348fcca092d9c12bb4af4352bc4352ad793800 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Sat, 6 Jan 2024 16:01:51 -0500 Subject: [PATCH 19/23] Add local variable for ingress hosts in addSpecIngressTLSV1 Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 02114605a5..82f25801bc 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -293,10 +293,12 @@ func (ing *ingress) addSpecRuleV1(ic *ingressContext, ru *definitions.RuleV1) er // addSpecIngressTLSV1 is used to add TLS Certificates from Ingress resources. Certificates will be added // only if the Ingress rule host matches a host in TLS config func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions.TLSV1) { + ingressHosts := definitions.GetHostsFromIngressRulesV1(ic.ingressV1) + // Hosts in the tls section need to explicitly match the host in the rules section. - hostlist := compareStringList(ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) + hostlist := compareStringList(ingtls.Hosts, ingressHosts) if len(hostlist) == 0 { - ic.logger.Infof("No matching tls hosts found - tls hosts: %s, ingress hosts: %s", ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) + ic.logger.Infof("No matching tls hosts found - tls hosts: %s, ingress hosts: %s", ingtls.Hosts, ingressHosts) return } else if len(hostlist) != len(ingtls.Hosts) { ic.logger.Infof("Hosts in TLS and Ingress don't match: tls hosts: %s, ingress hosts: %s", ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) From d9671ac719795f55ee032936c7bdeacb82f5e8d0 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 8 Jan 2024 08:37:48 -0500 Subject: [PATCH 20/23] Log Error when no TLS hosts match Ingress and RouteGroups hosts Signed-off-by: Ricardo Herrera --- dataclients/kubernetes/ingressv1.go | 2 +- dataclients/kubernetes/routegroup.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/ingressv1.go b/dataclients/kubernetes/ingressv1.go index 82f25801bc..99a923f6c4 100644 --- a/dataclients/kubernetes/ingressv1.go +++ b/dataclients/kubernetes/ingressv1.go @@ -298,7 +298,7 @@ func (ing *ingress) addSpecIngressTLSV1(ic *ingressContext, ingtls *definitions. // Hosts in the tls section need to explicitly match the host in the rules section. hostlist := compareStringList(ingtls.Hosts, ingressHosts) if len(hostlist) == 0 { - ic.logger.Infof("No matching tls hosts found - tls hosts: %s, ingress hosts: %s", ingtls.Hosts, ingressHosts) + ic.logger.Errorf("No matching tls hosts found - tls hosts: %s, ingress hosts: %s", ingtls.Hosts, ingressHosts) return } else if len(hostlist) != len(ingtls.Hosts) { ic.logger.Infof("Hosts in TLS and Ingress don't match: tls hosts: %s, ingress hosts: %s", ingtls.Hosts, definitions.GetHostsFromIngressRulesV1(ic.ingressV1)) diff --git a/dataclients/kubernetes/routegroup.go b/dataclients/kubernetes/routegroup.go index 9572eeb268..093c8d689d 100644 --- a/dataclients/kubernetes/routegroup.go +++ b/dataclients/kubernetes/routegroup.go @@ -486,7 +486,7 @@ func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions. // Host in the tls section need to explicitly match the host in the RouteGroup hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) if len(hostlist) == 0 { - ctx.logger.Infof("No matching tls hosts found - tls hosts: %s, routegroup hosts: %s", tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) + ctx.logger.Errorf("No matching tls hosts found - tls hosts: %s, routegroup hosts: %s", tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) return } else if len(hostlist) != len(tls.Hosts) { ctx.logger.Infof("Hosts in TLS and RouteGroup don't match: tls hosts: %s, routegroup hosts: %s", tls.Hosts, ctx.routeGroup.Spec.UniqueHosts()) From 2ceba75cafdda55b512e3c265c1d0fc4425e34a1 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 8 Jan 2024 08:40:23 -0500 Subject: [PATCH 21/23] Add missing newlines to fixture log files Signed-off-by: Ricardo Herrera --- .../kubernetes/testdata/routegroups/tls/tls-host-mismatch.log | 2 +- .../kubernetes/testdata/routegroups/tls/tls-missing-host.log | 2 +- .../kubernetes/testdata/routegroups/tls/tls-multiple-host.log | 2 +- .../kubernetes/testdata/routegroups/tls/tls-single-host.log | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log index 16fb6327db..88093f37c8 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-host-mismatch.log @@ -1,2 +1,2 @@ level=info msg="Hosts in TLS and RouteGroup don't match: tls hosts: \[bar.org example.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default -level=info msg="adding certificate to registry - example.org" \ No newline at end of file +level=info msg="adding certificate to registry - example.org" diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log index 9f036d36df..03834a659d 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log @@ -1 +1 @@ -level=info msg="No matching tls hosts found - tls hosts: \[foo.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default \ No newline at end of file +level=info msg="No matching tls hosts found - tls hosts: \[foo.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log index d1b4cd0877..efee9654ea 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-multiple-host.log @@ -1,2 +1,2 @@ level=info msg="adding certificate to registry - foo.org" -level=info msg="adding certificate to registry - example.org" \ No newline at end of file +level=info msg="adding certificate to registry - example.org" diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log index b9691ef678..dc90d6bd02 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-single-host.log @@ -1 +1 @@ -level=info msg="adding certificate to registry - example.org" \ No newline at end of file +level=info msg="adding certificate to registry - example.org" From 0e82071bce08e3ab6ced148467aafe13bc9e2aff Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 8 Jan 2024 08:43:55 -0500 Subject: [PATCH 22/23] Update fixture for tests for error log Signed-off-by: Ricardo Herrera --- .../kubernetes/testdata/ingressV1/tls/tls-missing-host.log | 2 +- .../kubernetes/testdata/routegroups/tls/tls-missing-host.log | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log index af05c98469..15de3a63c0 100644 --- a/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log +++ b/dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log @@ -1 +1 @@ -level=info msg="No matching tls hosts found - tls hosts: \[foo.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default +level=error msg="No matching tls hosts found - tls hosts: \[foo.org bar.org\], ingress hosts: \[example.org\]" kind=Ingress name=myapp-ingress ns=default diff --git a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log index 03834a659d..3f98f24493 100644 --- a/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log +++ b/dataclients/kubernetes/testdata/routegroups/tls/tls-missing-host.log @@ -1 +1 @@ -level=info msg="No matching tls hosts found - tls hosts: \[foo.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default +level=error msg="No matching tls hosts found - tls hosts: \[foo.org\], routegroup hosts: \[example.org\]" kind=RouteGroup name=myapp ns=default From 67504823764c708f6ca41d93ea55cadf472824f6 Mon Sep 17 00:00:00 2001 From: Ricardo Herrera Date: Mon, 8 Jan 2024 13:44:25 -0500 Subject: [PATCH 23/23] Update with latest version of routegroup_crd Signed-off-by: Ricardo Herrera --- .../kubernetes/deploy/apply/routegroups_crd.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml b/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml index 67cb2aafb3..c2c6fbd102 100644 --- a/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml +++ b/dataclients/kubernetes/deploy/apply/routegroups_crd.yaml @@ -1,5 +1,3 @@ -# This is a copy of https://github.com/szuecs/routegroup-client/blob/master/zalando.org_routegroups.yaml -# DO NOT EDIT. --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -222,9 +220,10 @@ spec: items: properties: hosts: - description: Host specifies the list of hosts included in the - TLS secret. The values in this list must match the name/s - used in the tlsSecret. + description: TLS hosts specify the list of hosts included in + the TLS secret. The values in this list must match the host + name(s) used for the RouteGroup in order to terminate TLS + for the host(s). items: pattern: "^[a-z0-9]([-a-z0-9]*[a-z0-9])?([.][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" type: string @@ -232,9 +231,12 @@ spec: type: array secretName: description: SecretName is the name of the secret used to terminate - TLS traffic on port 443. Field is left optional to allow TLS - routing based on SNI hostname alone. + TLS traffic. Secret should reside in the same namespace as + the RouteGroup. type: string + required: + - hosts + - secretName type: object type: array required: