From 4889ec4c06f719f47ec937d4cdbcc52917bc6c87 Mon Sep 17 00:00:00 2001
From: Joao Morais <jcmoraisjr@gmail.com>
Date: Sun, 29 Nov 2020 15:35:53 -0300
Subject: [PATCH] independently configure rules and TLS

Since the very first controller version, the TLS spec was only configured
if a corresponding hostname was found in the rules of the same ingress
resource. This commit changes this behavior and reads the TLS array as an
independent configuration.

Such update changes backward compatibility since a misconfigured TLS
would be silently ignored. However the new behavior better implements
the ingress spec.
---
 pkg/converters/ingress/ingress.go      | 39 +++++++++++++-------------
 pkg/converters/ingress/ingress_test.go | 35 +++++++++++++++++++++++
 2 files changed, 54 insertions(+), 20 deletions(-)

diff --git a/pkg/converters/ingress/ingress.go b/pkg/converters/ingress/ingress.go
index 134f9a5b7..68bc76a6f 100644
--- a/pkg/converters/ingress/ingress.go
+++ b/pkg/converters/ingress/ingress.go
@@ -440,31 +440,30 @@ func (c *converter) syncIngress(ing *networking.Ingress) {
 				}
 			}
 		}
-		for _, tls := range ing.Spec.TLS {
-			for _, tlshost := range tls.Hosts {
-				if tlshost == hostname {
-					tlsPath := c.addTLS(source, tlshost, tls.SecretName)
-					if host.TLS.TLSHash == "" {
-						host.TLS.TLSFilename = tlsPath.Filename
-						host.TLS.TLSHash = tlsPath.SHA1Hash
-						host.TLS.TLSCommonName = tlsPath.CommonName
-						host.TLS.TLSNotAfter = tlsPath.NotAfter
-					} else if host.TLS.TLSHash != tlsPath.SHA1Hash {
-						msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname)
-						if tls.SecretName != "" {
-							c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg)
-						} else {
-							c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg)
-						}
-					}
+	}
+	for _, tls := range ing.Spec.TLS {
+		// tls secret
+		for _, hostname := range tls.Hosts {
+			host := c.addHost(hostname, source, annHost)
+			tlsPath := c.addTLS(source, hostname, tls.SecretName)
+			if host.TLS.TLSHash == "" {
+				host.TLS.TLSFilename = tlsPath.Filename
+				host.TLS.TLSHash = tlsPath.SHA1Hash
+				host.TLS.TLSCommonName = tlsPath.CommonName
+				host.TLS.TLSNotAfter = tlsPath.NotAfter
+			} else if host.TLS.TLSHash != tlsPath.SHA1Hash {
+				msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname)
+				if tls.SecretName != "" {
+					c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg)
+				} else {
+					c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg)
 				}
 			}
 		}
-	}
-	for _, tls := range ing.Spec.TLS {
-		// distinct prefix, read from the Annotations map
+		// acme tracking
 		var tlsAcme bool
 		if c.options.AcmeTrackTLSAnn {
+			// distinct prefix, read from the Annotations map
 			tlsAcmeStr, _ := ing.Annotations[ingtypes.ExtraTLSAcme]
 			tlsAcme, _ = strconv.ParseBool(tlsAcmeStr)
 		}
diff --git a/pkg/converters/ingress/ingress_test.go b/pkg/converters/ingress/ingress_test.go
index 1745ee76b..e9e90948d 100644
--- a/pkg/converters/ingress/ingress_test.go
+++ b/pkg/converters/ingress/ingress_test.go
@@ -585,6 +585,21 @@ func TestSyncInvalidTLS(t *testing.T) {
 WARN using default certificate due to an error reading secret 'tls-invalid' on ingress 'default/echo': secret not found: 'default/tls-invalid'`)
 }
 
+func TestSyncTLSSecretWithoutHost(t *testing.T) {
+	c := setup(t)
+	defer c.teardown()
+
+	c.createSvc1Auto()
+	c.createSecretTLS1("default/tls-echo")
+	c.Sync(c.createIngTLS2("default/echo", "tls-echo:echo.example.com"))
+
+	c.compareConfigFront(`
+- hostname: echo.example.com
+  paths: []
+  tls:
+    tlsfilename: /tls/default/tls-echo.pem`)
+}
+
 func TestSyncIngressClass(t *testing.T) {
 	apiGroup1 := "some.io"
 	testCases := []struct {
@@ -1985,6 +2000,26 @@ func (c *testConfig) createIngTLS1(name, hostname, path, service, secretHostName
 	return ing
 }
 
+func (c *testConfig) createIngTLS2(name, secretHostName string) *networking.Ingress {
+	tls := []networking.IngressTLS{}
+	for _, secret := range strings.Split(secretHostName, ";") {
+		ssecret := strings.Split(secret, ":")
+		hosts := []string{}
+		if len(ssecret) > 1 {
+			for _, host := range strings.Split(ssecret[1], ",") {
+				hosts = append(hosts, host)
+			}
+		}
+		tls = append(tls, networking.IngressTLS{
+			Hosts:      hosts,
+			SecretName: ssecret[0],
+		})
+	}
+	ing := c.createIng3(name)
+	ing.Spec.TLS = tls
+	return ing
+}
+
 func (c *testConfig) createObject(cfg string) runtime.Object {
 	obj, _, err := c.decode([]byte(cfg), nil, nil)
 	if err != nil {