independently configure rules and TLS

Since the very first controller version, the TLS spec was only configured
if a corresponding hostname was found in the rules of the same ingress
resource. This commit changes this behavior and reads the TLS array as an
independent configuration.

Such update changes backward compatibility since a misconfigured TLS
would be silently ignored. However the new behavior better implements
the ingress spec.

pkg/converters/ingress/ingress.go

@@ -440,31 +440,30 @@ func (c *converter) syncIngress(ing *networking.Ingress) {
 				}
 			}
 		}
-		for _, tls := range ing.Spec.TLS {
-			for _, tlshost := range tls.Hosts {
-				if tlshost == hostname {
-					tlsPath := c.addTLS(source, tlshost, tls.SecretName)
-					if host.TLS.TLSHash == "" {
-						host.TLS.TLSFilename = tlsPath.Filename
-						host.TLS.TLSHash = tlsPath.SHA1Hash
-						host.TLS.TLSCommonName = tlsPath.CommonName
-						host.TLS.TLSNotAfter = tlsPath.NotAfter
-					} else if host.TLS.TLSHash != tlsPath.SHA1Hash {
-						msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname)
-						if tls.SecretName != "" {
-							c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg)
-						} else {
-							c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg)
-						}
-					}
+	}
+	for _, tls := range ing.Spec.TLS {
+		// tls secret
+		for _, hostname := range tls.Hosts {
+			host := c.addHost(hostname, source, annHost)
+			tlsPath := c.addTLS(source, hostname, tls.SecretName)
+			if host.TLS.TLSHash == "" {
+				host.TLS.TLSFilename = tlsPath.Filename
+				host.TLS.TLSHash = tlsPath.SHA1Hash
+				host.TLS.TLSCommonName = tlsPath.CommonName
+				host.TLS.TLSNotAfter = tlsPath.NotAfter
+			} else if host.TLS.TLSHash != tlsPath.SHA1Hash {
+				msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname)
+				if tls.SecretName != "" {
+					c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg)
+				} else {
+					c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg)
 				}
 			}
 		}
-	}
-	for _, tls := range ing.Spec.TLS {
-		// distinct prefix, read from the Annotations map
+		// acme tracking
 		var tlsAcme bool
 		if c.options.AcmeTrackTLSAnn {
+			// distinct prefix, read from the Annotations map
 			tlsAcmeStr, _ := ing.Annotations[ingtypes.ExtraTLSAcme]
 			tlsAcme, _ = strconv.ParseBool(tlsAcmeStr)
 		}

pkg/converters/ingress/ingress_test.go

@@ -585,6 +585,21 @@ func TestSyncInvalidTLS(t *testing.T) {
 WARN using default certificate due to an error reading secret 'tls-invalid' on ingress 'default/echo': secret not found: 'default/tls-invalid'`)
 }
 
+func TestSyncTLSSecretWithoutHost(t *testing.T) {
+	c := setup(t)
+	defer c.teardown()
+
+	c.createSvc1Auto()
+	c.createSecretTLS1("default/tls-echo")
+	c.Sync(c.createIngTLS2("default/echo", "tls-echo:echo.example.com"))
+
+	c.compareConfigFront(`
+- hostname: echo.example.com
+  paths: []
+  tls:
+    tlsfilename: /tls/default/tls-echo.pem`)
+}
+
 func TestSyncIngressClass(t *testing.T) {
 	apiGroup1 := "some.io"
 	testCases := []struct {
@@ -1985,6 +2000,26 @@ func (c *testConfig) createIngTLS1(name, hostname, path, service, secretHostName
 	return ing
 }
 
+func (c *testConfig) createIngTLS2(name, secretHostName string) *networking.Ingress {
+	tls := []networking.IngressTLS{}
+	for _, secret := range strings.Split(secretHostName, ";") {
+		ssecret := strings.Split(secret, ":")
+		hosts := []string{}
+		if len(ssecret) > 1 {
+			for _, host := range strings.Split(ssecret[1], ",") {
+				hosts = append(hosts, host)
+			}
+		}
+		tls = append(tls, networking.IngressTLS{
+			Hosts:      hosts,
+			SecretName: ssecret[0],
+		})
+	}
+	ing := c.createIng3(name)
+	ing.Spec.TLS = tls
+	return ing
+}
+
 func (c *testConfig) createObject(cfg string) runtime.Object {
 	obj, _, err := c.decode([]byte(cfg), nil, nil)
 	if err != nil {