From ee82b17937dc3cc7d213d723ef8361f4509d0471 Mon Sep 17 00:00:00 2001
From: Steve Kriss <krisss@vmware.com>
Date: Wed, 12 Oct 2022 16:25:11 -0600
Subject: [PATCH 1/2] allow TLS secrets to be of type Opaque

Closes #3180.

Signed-off-by: Steve Kriss <krisss@vmware.com>
---
 internal/dag/secret.go      | 20 +++++---------------
 internal/dag/secret_test.go | 22 +++++++++++-----------
 2 files changed, 16 insertions(+), 26 deletions(-)

diff --git a/internal/dag/secret.go b/internal/dag/secret.go
index 6af42d4806b..51659842d3c 100644
--- a/internal/dag/secret.go
+++ b/internal/dag/secret.go
@@ -32,15 +32,12 @@ const (
 	CRLKey = "crl.pem"
 )
 
-// validTLSSecret returns an error if the Secret is not of type TLS or
+// validTLSSecret returns an error if the Secret is not of type TLS or Opaque or
 // if it doesn't contain valid certificate and private key material in
 // the tls.crt and tls.key keys.
 func validTLSSecret(secret *v1.Secret) error {
-	// Must be of type TLS (TODO can we relax this? https://github.com/projectcontour/contour/issues/3180)
-	// Must have isValid tls.crt and tls.key data
-
-	if secret.Type != v1.SecretTypeTLS {
-		return fmt.Errorf("secret type is not %q", v1.SecretTypeTLS)
+	if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
+		return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
 	}
 
 	data, ok := secret.Data[v1.TLSCertKey]
@@ -64,12 +61,9 @@ func validTLSSecret(secret *v1.Secret) error {
 	return nil
 }
 
-// validCASecret returns an error if the Secret is not of type Opaque or TLS or
+// validCASecret returns an error if the Secret is not of type TLS or Opaque or
 // if it doesn't contain a valid CA bundle in the ca.crt key.
 func validCASecret(secret *v1.Secret) error {
-	// Must be of type Opaque or TLS
-	// Must have valid ca.crt data
-
 	if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
 		return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
 	}
@@ -85,13 +79,9 @@ func validCASecret(secret *v1.Secret) error {
 	return nil
 }
 
-// validCRLSecret returns an error if the Secret is not of type Opaque or TLS or
+// validCRLSecret returns an error if the Secret is not of type TLS or Opaque or
 // if it doesn't contain a valid CRL in the crl.pem key.
 func validCRLSecret(secret *v1.Secret) error {
-
-	// Must be of type Opaque or TLS
-	// Must have isValid crl.pem data
-
 	if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
 		return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
 	}
diff --git a/internal/dag/secret_test.go b/internal/dag/secret_test.go
index ae50035b5da..a949cb372e0 100644
--- a/internal/dag/secret_test.go
+++ b/internal/dag/secret_test.go
@@ -244,7 +244,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(fixture.CA_CERT),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -255,7 +255,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(fixture.CERTIFICATE_WITH_TEXT),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -266,7 +266,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(fixture.CA_CERT_NO_CN),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -275,7 +275,7 @@ func TestValidSecrets(t *testing.T) {
 				Type: v1.SecretTypeOpaque,
 				Data: caBundleData(fixture.CERTIFICATE, fixture.CERTIFICATE, fixture.CERTIFICATE, fixture.CERTIFICATE),
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -284,7 +284,7 @@ func TestValidSecrets(t *testing.T) {
 				Type: v1.SecretTypeOpaque,
 				Data: caBundleData(),
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`invalid CA certificate bundle: failed to locate certificate`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -295,7 +295,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey: []byte(""),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -306,7 +306,7 @@ func TestValidSecrets(t *testing.T) {
 					"some-other-key": []byte("value"),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -319,7 +319,7 @@ func TestValidSecrets(t *testing.T) {
 					CACertificateKey:    []byte(fixture.CA_CERT),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: nil,
 			caSecretError:  nil,
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -330,7 +330,7 @@ func TestValidSecrets(t *testing.T) {
 					CRLKey: []byte(fixture.CRL),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: nil,
 		},
@@ -341,7 +341,7 @@ func TestValidSecrets(t *testing.T) {
 					CRLKey: []byte(""),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`missing TLS certificate`),
 			caSecretError:  errors.New(`empty "ca.crt" key`),
 			crlSecretError: errors.New(`empty "crl.pem" key`),
 		},
@@ -355,7 +355,7 @@ func TestValidSecrets(t *testing.T) {
 					CRLKey:              []byte(fixture.CRL),
 				},
 			},
-			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
+			tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
 			caSecretError:  errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
 			crlSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
 		},

From e008ac5356ffeded71a53cb3033ef573211af5eb Mon Sep 17 00:00:00 2001
From: Steve Kriss <krisss@vmware.com>
Date: Mon, 17 Oct 2022 14:03:25 -0600
Subject: [PATCH 2/2] changelog

Signed-off-by: Steve Kriss <krisss@vmware.com>
---
 changelogs/unreleased/4799-skriss-small.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelogs/unreleased/4799-skriss-small.md

diff --git a/changelogs/unreleased/4799-skriss-small.md b/changelogs/unreleased/4799-skriss-small.md
new file mode 100644
index 00000000000..11635956497
--- /dev/null
+++ b/changelogs/unreleased/4799-skriss-small.md
@@ -0,0 +1 @@
+Allow TLS certificate secrets to be of type `Opaque` as long as they have valid `tls.crt` and `tls.key` entries.
\ No newline at end of file