diff --git a/pkg/converters/ingress/ingress.go b/pkg/converters/ingress/ingress.go index 134f9a5b7..68bc76a6f 100644 --- a/pkg/converters/ingress/ingress.go +++ b/pkg/converters/ingress/ingress.go @@ -440,31 +440,30 @@ func (c *converter) syncIngress(ing *networking.Ingress) { } } } - for _, tls := range ing.Spec.TLS { - for _, tlshost := range tls.Hosts { - if tlshost == hostname { - tlsPath := c.addTLS(source, tlshost, tls.SecretName) - if host.TLS.TLSHash == "" { - host.TLS.TLSFilename = tlsPath.Filename - host.TLS.TLSHash = tlsPath.SHA1Hash - host.TLS.TLSCommonName = tlsPath.CommonName - host.TLS.TLSNotAfter = tlsPath.NotAfter - } else if host.TLS.TLSHash != tlsPath.SHA1Hash { - msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname) - if tls.SecretName != "" { - c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg) - } else { - c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg) - } - } + } + for _, tls := range ing.Spec.TLS { + // tls secret + for _, hostname := range tls.Hosts { + host := c.addHost(hostname, source, annHost) + tlsPath := c.addTLS(source, hostname, tls.SecretName) + if host.TLS.TLSHash == "" { + host.TLS.TLSFilename = tlsPath.Filename + host.TLS.TLSHash = tlsPath.SHA1Hash + host.TLS.TLSCommonName = tlsPath.CommonName + host.TLS.TLSNotAfter = tlsPath.NotAfter + } else if host.TLS.TLSHash != tlsPath.SHA1Hash { + msg := fmt.Sprintf("TLS of host '%s' was already assigned", host.Hostname) + if tls.SecretName != "" { + c.logger.Warn("skipping TLS secret '%s' of ingress '%s': %s", tls.SecretName, fullIngName, msg) + } else { + c.logger.Warn("skipping default TLS secret of ingress '%s': %s", fullIngName, msg) } } } - } - for _, tls := range ing.Spec.TLS { - // distinct prefix, read from the Annotations map + // acme tracking var tlsAcme bool if c.options.AcmeTrackTLSAnn { + // distinct prefix, read from the Annotations map tlsAcmeStr, _ := ing.Annotations[ingtypes.ExtraTLSAcme] tlsAcme, _ = strconv.ParseBool(tlsAcmeStr) } diff --git a/pkg/converters/ingress/ingress_test.go b/pkg/converters/ingress/ingress_test.go index 1745ee76b..e9e90948d 100644 --- a/pkg/converters/ingress/ingress_test.go +++ b/pkg/converters/ingress/ingress_test.go @@ -585,6 +585,21 @@ func TestSyncInvalidTLS(t *testing.T) { WARN using default certificate due to an error reading secret 'tls-invalid' on ingress 'default/echo': secret not found: 'default/tls-invalid'`) } +func TestSyncTLSSecretWithoutHost(t *testing.T) { + c := setup(t) + defer c.teardown() + + c.createSvc1Auto() + c.createSecretTLS1("default/tls-echo") + c.Sync(c.createIngTLS2("default/echo", "tls-echo:echo.example.com")) + + c.compareConfigFront(` +- hostname: echo.example.com + paths: [] + tls: + tlsfilename: /tls/default/tls-echo.pem`) +} + func TestSyncIngressClass(t *testing.T) { apiGroup1 := "some.io" testCases := []struct { @@ -1985,6 +2000,26 @@ func (c *testConfig) createIngTLS1(name, hostname, path, service, secretHostName return ing } +func (c *testConfig) createIngTLS2(name, secretHostName string) *networking.Ingress { + tls := []networking.IngressTLS{} + for _, secret := range strings.Split(secretHostName, ";") { + ssecret := strings.Split(secret, ":") + hosts := []string{} + if len(ssecret) > 1 { + for _, host := range strings.Split(ssecret[1], ",") { + hosts = append(hosts, host) + } + } + tls = append(tls, networking.IngressTLS{ + Hosts: hosts, + SecretName: ssecret[0], + }) + } + ing := c.createIng3(name) + ing.Spec.TLS = tls + return ing +} + func (c *testConfig) createObject(cfg string) runtime.Object { obj, _, err := c.decode([]byte(cfg), nil, nil) if err != nil {