From 39e8938d05c478b0226e7502fd22e9a117ddd05b Mon Sep 17 00:00:00 2001 From: James Peach Date: Thu, 23 Jul 2020 14:17:03 +1000 Subject: [PATCH] internal/contour: generate an Envoy secret for the fallback certificate (#2723) Update the DAG visitor to emit an Envoy secret if the Contour fallback certificate is used by a secure virtual host. This fixes #2720. Signed-off-by: James Peach --- internal/contour/secret.go | 17 +++++-- internal/featuretests/fallbackcert_test.go | 58 ++++++++++++++++++++-- 2 files changed, 66 insertions(+), 9 deletions(-) diff --git a/internal/contour/secret.go b/internal/contour/secret.go index 819e2852445..b3ef96f92d8 100644 --- a/internal/contour/secret.go +++ b/internal/contour/secret.go @@ -85,15 +85,22 @@ func visitSecrets(root dag.Vertex) map[string]*envoy_api_v2_auth.Secret { return sv.secrets } +func (v *secretVisitor) addSecret(s *dag.Secret) { + name := envoy.Secretname(s) + if _, ok := v.secrets[name]; !ok { + envoySecret := envoy.Secret(s) + v.secrets[envoySecret.Name] = envoySecret + } +} + func (v *secretVisitor) visit(vertex dag.Vertex) { switch svh := vertex.(type) { case *dag.SecureVirtualHost: if svh.Secret != nil { - name := envoy.Secretname(svh.Secret) - if _, ok := v.secrets[name]; !ok { - s := envoy.Secret(svh.Secret) - v.secrets[s.Name] = s - } + v.addSecret(svh.Secret) + } + if svh.FallbackCertificate != nil { + v.addSecret(svh.FallbackCertificate) } default: vertex.Visit(v.visit) diff --git a/internal/featuretests/fallbackcert_test.go b/internal/featuretests/fallbackcert_test.go index d25b96b8481..01719b332ad 100644 --- a/internal/featuretests/fallbackcert_test.go +++ b/internal/featuretests/fallbackcert_test.go @@ -16,12 +16,12 @@ package featuretests import ( "testing" - projcontour "github.com/projectcontour/contour/apis/projectcontour/v1" - "github.com/projectcontour/contour/internal/fixture" - v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2" + envoy_api_v2_auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" + envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + projcontour "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/internal/envoy" - + "github.com/projectcontour/contour/internal/fixture" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -283,10 +283,60 @@ func TestFallbackCertificate(t *testing.T) { ), }) + // We should have emitted TLS certificate secrets for both + // the proxy certificate and for the fallback certificate. + c.Request(secretType).Equals(&v2.DiscoveryResponse{ + TypeUrl: secretType, + Resources: resources(t, + &envoy_api_v2_auth.Secret{ + Name: "admin/fallbacksecret/68621186db", + Type: &envoy_api_v2_auth.Secret_TlsCertificate{ + TlsCertificate: &envoy_api_v2_auth.TlsCertificate{ + CertificateChain: &envoy_api_v2_core.DataSource{ + Specifier: &envoy_api_v2_core.DataSource_InlineBytes{ + InlineBytes: fallbackSecret.Data[v1.TLSCertKey], + }, + }, + PrivateKey: &envoy_api_v2_core.DataSource{ + Specifier: &envoy_api_v2_core.DataSource_InlineBytes{ + InlineBytes: fallbackSecret.Data[v1.TLSPrivateKeyKey], + }, + }, + }, + }, + }, + &envoy_api_v2_auth.Secret{ + Name: "default/secret/68621186db", + Type: &envoy_api_v2_auth.Secret_TlsCertificate{ + TlsCertificate: &envoy_api_v2_auth.TlsCertificate{ + CertificateChain: &envoy_api_v2_core.DataSource{ + Specifier: &envoy_api_v2_core.DataSource_InlineBytes{ + InlineBytes: sec1.Data[v1.TLSCertKey], + }, + }, + PrivateKey: &envoy_api_v2_core.DataSource{ + Specifier: &envoy_api_v2_core.DataSource_InlineBytes{ + InlineBytes: sec1.Data[v1.TLSPrivateKeyKey], + }, + }, + }, + }, + }, + ), + }) + rh.OnDelete(fallbackSecret) c.Request(listenerType, "ingress_https").Equals(&v2.DiscoveryResponse{ TypeUrl: listenerType, Resources: nil, }) + + rh.OnDelete(proxy4) + rh.OnDelete(proxy2) + + c.Request(secretType).Equals(&v2.DiscoveryResponse{ + TypeUrl: secretType, + Resources: nil, + }) }