allow TLS secrets to be of type Opaque

Closes #3180. Signed-off-by: Steve Kriss <krisss@vmware.com>
projectcontour · Oct 17, 2022 · 35ab009 · 35ab009
1 parent 9afd3e6
commit 35ab009
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 26 deletions.
diff --git a/internal/dag/secret.go b/internal/dag/secret.go
@@ -32,15 +32,12 @@ const (
 	CRLKey = "crl.pem"
 )
 
-// validTLSSecret returns an error if the Secret is not of type TLS or
+// validTLSSecret returns an error if the Secret is not of type TLS or Opaque or
 // if it doesn't contain valid certificate and private key material in
 // the tls.crt and tls.key keys.
 func validTLSSecret(secret *v1.Secret) error {
-	// Must be of type TLS (TODO can we relax this? https://github.com/projectcontour/contour/issues/3180)
-	// Must have isValid tls.crt and tls.key data
-
-	if secret.Type != v1.SecretTypeTLS {
-		return fmt.Errorf("secret type is not %q", v1.SecretTypeTLS)
+	if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
+		return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
 	}
 
 	data, ok := secret.Data[v1.TLSCertKey]
@@ -64,12 +61,9 @@ func validTLSSecret(secret *v1.Secret) error {
 	return nil
 }
 
-// validCASecret returns an error if the Secret is not of type Opaque or TLS or
+// validCASecret returns an error if the Secret is not of type TLS or Opaque or
 // if it doesn't contain a valid CA bundle in the ca.crt key.
 func validCASecret(secret *v1.Secret) error {
-	// Must be of type Opaque or TLS
-	// Must have valid ca.crt data
-
 	if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
 		return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
 	}
@@ -85,13 +79,9 @@ func validCASecret(secret *v1.Secret) error {
 	return nil
 }
 
-// validCRLSecret returns an error if the Secret is not of type Opaque or TLS or
+// validCRLSecret returns an error if the Secret is not of type TLS or Opaque or
 // if it doesn't contain a valid CRL in the crl.pem key.
 func validCRLSecret(secret *v1.Secret) error {
-
-	// Must be of type Opaque or TLS
-	// Must have isValid crl.pem data
-
 	if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
 		return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
 	}

diff --git a/internal/dag/secret_test.go b/internal/dag/secret_test.go
@@ -244,7 +244,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(fixture.CA_CERT),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -255,7 +255,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(fixture.CERTIFICATE_WITH_TEXT),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -266,7 +266,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(fixture.CA_CERT_NO_CN),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -275,7 +275,7 @@ func TestValidSecrets(t *testing.T) {
 				Type: v1.SecretTypeOpaque,
 				Data: caBundleData(fixture.CERTIFICATE, fixture.CERTIFICATE, fixture.CERTIFICATE, fixture.CERTIFICATE),
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -284,7 +284,7 @@ func TestValidSecrets(t *testing.T) {
 				Type: v1.SecretTypeOpaque,
 				Data: caBundleData(),
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`invalid CA certificate bundle: failed to locate certificate`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -295,7 +295,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(""),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -306,7 +306,7 @@ func TestValidSecrets(t *testing.T) {
 					"some-other-key": []byte("value"),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -319,7 +319,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey:    []byte(fixture.CA_CERT),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: nil,
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -330,7 +330,7 @@ func TestValidSecrets(t *testing.T) {
 					CRLKey: []byte(fixture.CRL),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: nil,
 		},
@@ -341,7 +341,7 @@ func TestValidSecrets(t *testing.T) {
 					CRLKey: []byte(""),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -355,7 +355,7 @@ func TestValidSecrets(t *testing.T) {
 					CRLKey:              []byte(fixture.CRL),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
 			caSecretError:  errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
 			crlSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
 		},