internal/contour: generate an Envoy secret for the fallback certifica…

…te (projectcontour#2723) Update the DAG visitor to emit an Envoy secret if the Contour fallback certificate is used by a secure virtual host. This fixes projectcontour#2720. Signed-off-by: James Peach <jpeach@vmware.com>
tthebst · Aug 6, 2020 · 39e8938 · 39e8938
1 parent f479be8
commit 39e8938
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 9 deletions.
diff --git a/internal/contour/secret.go b/internal/contour/secret.go
@@ -85,15 +85,22 @@ func visitSecrets(root dag.Vertex) map[string]*envoy_api_v2_auth.Secret {
 	return sv.secrets
 }
 
+func (v *secretVisitor) addSecret(s *dag.Secret) {
+	name := envoy.Secretname(s)
+	if _, ok := v.secrets[name]; !ok {
+		envoySecret := envoy.Secret(s)
+		v.secrets[envoySecret.Name] = envoySecret
+	}
+}
+
 func (v *secretVisitor) visit(vertex dag.Vertex) {
 	switch svh := vertex.(type) {
 	case *dag.SecureVirtualHost:
 		if svh.Secret != nil {
-			name := envoy.Secretname(svh.Secret)
-			if _, ok := v.secrets[name]; !ok {
-				s := envoy.Secret(svh.Secret)
-				v.secrets[s.Name] = s
-			}
+			v.addSecret(svh.Secret)
+		}
+		if svh.FallbackCertificate != nil {
+			v.addSecret(svh.FallbackCertificate)
 		}
 	default:
 		vertex.Visit(v.visit)

diff --git a/internal/featuretests/fallbackcert_test.go b/internal/featuretests/fallbackcert_test.go
@@ -16,12 +16,12 @@ package featuretests
 import (
 	"testing"
 
-	projcontour "github.com/projectcontour/contour/apis/projectcontour/v1"
-	"github.com/projectcontour/contour/internal/fixture"
-
 	v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2"
+	envoy_api_v2_auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"
+	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
+	projcontour "github.com/projectcontour/contour/apis/projectcontour/v1"
 	"github.com/projectcontour/contour/internal/envoy"
-
+	"github.com/projectcontour/contour/internal/fixture"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -283,10 +283,60 @@ func TestFallbackCertificate(t *testing.T) {
 		),
 	})
 
+	// We should have emitted TLS certificate secrets for both
+	// the proxy certificate and for the fallback certificate.
+	c.Request(secretType).Equals(&v2.DiscoveryResponse{
+		TypeUrl: secretType,
+		Resources: resources(t,
+			&envoy_api_v2_auth.Secret{
+				Name: "admin/fallbacksecret/68621186db",
+				Type: &envoy_api_v2_auth.Secret_TlsCertificate{
+					TlsCertificate: &envoy_api_v2_auth.TlsCertificate{
+						CertificateChain: &envoy_api_v2_core.DataSource{
+							Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
+								InlineBytes: fallbackSecret.Data[v1.TLSCertKey],
+							},
+						},
+						PrivateKey: &envoy_api_v2_core.DataSource{
+							Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
+								InlineBytes: fallbackSecret.Data[v1.TLSPrivateKeyKey],
+							},
+						},
+					},
+				},
+			},
+			&envoy_api_v2_auth.Secret{
+				Name: "default/secret/68621186db",
+				Type: &envoy_api_v2_auth.Secret_TlsCertificate{
+					TlsCertificate: &envoy_api_v2_auth.TlsCertificate{
+						CertificateChain: &envoy_api_v2_core.DataSource{
+							Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
+								InlineBytes: sec1.Data[v1.TLSCertKey],
+							},
+						},
+						PrivateKey: &envoy_api_v2_core.DataSource{
+							Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
+								InlineBytes: sec1.Data[v1.TLSPrivateKeyKey],
+							},
+						},
+					},
+				},
+			},
+		),
+	})
+
 	rh.OnDelete(fallbackSecret)
 
 	c.Request(listenerType, "ingress_https").Equals(&v2.DiscoveryResponse{
 		TypeUrl:   listenerType,
 		Resources: nil,
 	})
+
+	rh.OnDelete(proxy4)
+	rh.OnDelete(proxy2)
+
+	c.Request(secretType).Equals(&v2.DiscoveryResponse{
+		TypeUrl:   secretType,
+		Resources: nil,
+	})
 }