Merge pull request #702 from jcmoraisjr/jm-rules-tls

Independently configure rules and TLS
jcmoraisjr · Dec 10, 2020 · 7b9c385 · 7b9c385
2 parents 211d056 + 4889ec4
commit 7b9c385
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 20 deletions.
diff --git a/pkg/converters/ingress/ingress.go b/pkg/converters/ingress/ingress.go
@@ -440,31 +440,30 @@ func (c *converter) syncIngress(ing *networking.Ingress) {
 				}
 			}
 		}
-		for _, tls := range ing.Spec.TLS {
-			for _, tlshost := range tls.Hosts {
-				if tlshost == hostname {
-					tlsPath := c.addTLS(source, tlshost, tls.SecretName)
-					if host.TLS.TLSHash == "" {
-						host.TLS.TLSFilename = tlsPath.Filename
-						host.TLS.TLSHash = tlsPath.SHA1Hash
-						host.TLS.TLSCommonName = tlsPath.CommonName
-						host.TLS.TLSNotAfter = tlsPath.NotAfter
-					} else if host.TLS.TLSHash != tlsPath.SHA1Hash {
-						msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname)
-						if tls.SecretName != "" {
-							c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg)
-						} else {
-							c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg)
-						}
-					}
+	}
+	for _, tls := range ing.Spec.TLS {
+		// tls secret
+		for _, hostname := range tls.Hosts {
+			host := c.addHost(hostname, source, annHost)
+			tlsPath := c.addTLS(source, hostname, tls.SecretName)
+			if host.TLS.TLSHash == "" {
+				host.TLS.TLSFilename = tlsPath.Filename
+				host.TLS.TLSHash = tlsPath.SHA1Hash
+				host.TLS.TLSCommonName = tlsPath.CommonName
+				host.TLS.TLSNotAfter = tlsPath.NotAfter
+			} else if host.TLS.TLSHash != tlsPath.SHA1Hash {
+				msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname)
+				if tls.SecretName != "" {
+					c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg)
+				} else {
+					c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg)
 				}
 			}
 		}
-	}
-	for _, tls := range ing.Spec.TLS {
-		// distinct prefix, read from the Annotations map
+		// acme tracking
 		var tlsAcme bool
 		if c.options.AcmeTrackTLSAnn {
+			// distinct prefix, read from the Annotations map
 			tlsAcmeStr, _ := ing.Annotations[ingtypes.ExtraTLSAcme]
 			tlsAcme, _ = strconv.ParseBool(tlsAcmeStr)
 		}

diff --git a/pkg/converters/ingress/ingress_test.go b/pkg/converters/ingress/ingress_test.go
@@ -585,6 +585,21 @@ func TestSyncInvalidTLS(t *testing.T) {
 WARN using default certificate due to an error reading secret 'tls-invalid' on ingress 'default/echo': secret not found: 'default/tls-invalid'`)
 }
 
+func TestSyncTLSSecretWithoutHost(t *testing.T) {
+	c := setup(t)
+	defer c.teardown()
+
+	c.createSvc1Auto()
+	c.createSecretTLS1("default/tls-echo")
+	c.Sync(c.createIngTLS2("default/echo", "tls-echo:echo.example.com"))
+
+	c.compareConfigFront(`
+- hostname: echo.example.com
+  paths: []
+  tls:
+    tlsfilename: /tls/default/tls-echo.pem`)
+}
+
 func TestSyncIngressClass(t *testing.T) {
 	apiGroup1 := "some.io"
 	testCases := []struct {
@@ -1985,6 +2000,26 @@ func (c *testConfig) createIngTLS1(name, hostname, path, service, secretHostName
 	return ing
 }
 
+func (c *testConfig) createIngTLS2(name, secretHostName string) *networking.Ingress {
+	tls := []networking.IngressTLS{}
+	for _, secret := range strings.Split(secretHostName, ";") {
+		ssecret := strings.Split(secret, ":")
+		hosts := []string{}
+		if len(ssecret) > 1 {
+			for _, host := range strings.Split(ssecret[1], ",") {
+				hosts = append(hosts, host)
+			}
+		}
+		tls = append(tls, networking.IngressTLS{
+			Hosts:      hosts,
+			SecretName: ssecret[0],
+		})
+	}
+	ing := c.createIng3(name)
+	ing.Spec.TLS = tls
+	return ing
+}
+
 func (c *testConfig) createObject(cfg string) runtime.Object {
 	obj, _, err := c.decode([]byte(cfg), nil, nil)
 	if err != nil {