This is an automated email from the ASF dual-hosted git repository.
zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new 62b7590 feat: support TLS for ingress v1 (#634)
62b7590 is described below
commit 62b7590443e037ecd6b41521accea567e09ad340
Author: Sarasa Kisaragi <[email protected]>
AuthorDate: Wed Aug 25 17:30:57 2021 +0800
feat: support TLS for ingress v1 (#634)
Signed-off-by: Ling Samuel <[email protected]>
---
go.sum | 1 +
pkg/ingress/manifest.go | 4 --
pkg/kube/translation/ingress.go | 31 ++++++++++-
test/e2e/go.mod | 1 +
test/e2e/ingress/ingress.go | 113 ++++++++++++++++++++++++++++++++++++++--
5 files changed, 140 insertions(+), 10 deletions(-)
diff --git a/go.sum b/go.sum
index fab5d3d..a30c5f0 100644
--- a/go.sum
+++ b/go.sum
@@ -386,6 +386,7 @@ golang.org/x/crypto
v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod
h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod
h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
diff --git a/pkg/ingress/manifest.go b/pkg/ingress/manifest.go
index cb6a23b..2d82a30 100644
--- a/pkg/ingress/manifest.go
+++ b/pkg/ingress/manifest.go
@@ -148,7 +148,6 @@ type manifest struct {
}
func (m *manifest) diff(om *manifest) (added, updated, deleted *manifest) {
- // add diff ssl
sa, su, sd := diffSSL(om.ssl, m.ssl)
ar, ur, dr := diffRoutes(om.routes, m.routes)
au, uu, du := diffUpstreams(om.upstreams, m.upstreams)
@@ -186,7 +185,6 @@ func (c *Controller) syncManifests(ctx context.Context,
added, updated, deleted
clusterName := c.cfg.APISIX.DefaultClusterName
if deleted != nil {
- // delete ssl
for _, ssl := range deleted.ssl {
if err :=
c.apisix.Cluster(clusterName).SSL().Delete(ctx, ssl); err != nil {
merr = multierror.Append(merr, err)
@@ -218,7 +216,6 @@ func (c *Controller) syncManifests(ctx context.Context,
added, updated, deleted
}
if added != nil {
// Should create upstreams firstly due to the dependencies.
- // add ssl
for _, ssl := range added.ssl {
if _, err :=
c.apisix.Cluster(clusterName).SSL().Create(ctx, ssl); err != nil {
merr = multierror.Append(merr, err)
@@ -241,7 +238,6 @@ func (c *Controller) syncManifests(ctx context.Context,
added, updated, deleted
}
}
if updated != nil {
- // update ssl
for _, ssl := range updated.ssl {
if _, err :=
c.apisix.Cluster(clusterName).SSL().Update(ctx, ssl); err != nil {
merr = multierror.Append(merr, err)
diff --git a/pkg/kube/translation/ingress.go b/pkg/kube/translation/ingress.go
index 5f44baa..cc126ca 100644
--- a/pkg/kube/translation/ingress.go
+++ b/pkg/kube/translation/ingress.go
@@ -39,6 +39,36 @@ func (t *translator) translateIngressV1(ing
*networkingv1.Ingress) (*TranslateCo
}
plugins := t.translateAnnotations(ing.Annotations)
+ // add https
+ for _, tls := range ing.Spec.TLS {
+ apisixTls := apisixv12.ApisixTls{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "ApisixTls",
+ APIVersion: "apisix.apache.org/v1",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Name: fmt.Sprintf("%v-%v", ing.Name,
"tls"),
+ Namespace: ing.Namespace,
+ },
+ Spec: &apisixv12.ApisixTlsSpec{},
+ }
+ for _, host := range tls.Hosts {
+ apisixTls.Spec.Hosts = append(apisixTls.Spec.Hosts,
apisixv12.HostType(host))
+ }
+ apisixTls.Spec.Secret = apisixv12.ApisixSecret{
+ Name: tls.SecretName,
+ Namespace: ing.Namespace,
+ }
+ ssl, err := t.TranslateSSL(&apisixTls)
+ if err != nil {
+ log.Errorw("failed to translate ingress tls to apisix
tls",
+ zap.Error(err),
+ zap.Any("ingress", ing),
+ )
+ return nil, err
+ }
+ ctx.addSSL(ssl)
+ }
for _, rule := range ing.Spec.Rules {
for _, pathRule := range rule.HTTP.Paths {
var (
@@ -109,7 +139,6 @@ func (t *translator) translateIngressV1beta1(ing
*networkingv1beta1.Ingress) (*T
Namespace: ing.Namespace,
},
Spec: &apisixv12.ApisixTlsSpec{},
- //Status: configv2alpha1.ApisixStatus{},
}
for _, host := range tls.Hosts {
apisixTls.Spec.Hosts = append(apisixTls.Spec.Hosts,
apisixv12.HostType(host))
diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 7e026a3..9447d10 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -8,6 +8,7 @@ require (
github.com/gorilla/websocket v1.4.2
github.com/gruntwork-io/terratest v0.32.8
github.com/onsi/ginkgo v1.16.4
+ github.com/onsi/gomega v1.10.1
github.com/stretchr/testify v1.6.1
k8s.io/api v0.21.1
k8s.io/apimachinery v0.21.1
diff --git a/test/e2e/ingress/ingress.go b/test/e2e/ingress/ingress.go
index 5fb5649..7d3d45b 100644
--- a/test/e2e/ingress/ingress.go
+++ b/test/e2e/ingress/ingress.go
@@ -15,20 +15,59 @@
package ingress
import (
+ "crypto/tls"
+ "crypto/x509"
"fmt"
"net/http"
"time"
+ "github.com/apache/apisix-ingress-controller/pkg/id"
+ "github.com/onsi/ginkgo"
"github.com/stretchr/testify/assert"
+ corev1 "k8s.io/api/core/v1"
"github.com/apache/apisix-ingress-controller/test/e2e/scaffold"
- ginkgo "github.com/onsi/ginkgo"
- corev1 "k8s.io/api/core/v1"
)
-var _ = ginkgo.Describe("support ingress.networking/v1beta1 https", func() {
+var _ = ginkgo.Describe("support ingress https", func() {
s := scaffold.NewDefaultV2Scaffold()
+ rootCA := `-----BEGIN CERTIFICATE-----
+MIIF9zCCA9+gAwIBAgIUFKuzAJZgm/fsFS6JDrd+lcpVZr8wDQYJKoZIhvcNAQEL
+BQAwgZwxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI
+SGFuZ3pob3UxGDAWBgNVBAoMD0FQSVNJWC1UZXN0LUNBXzEYMBYGA1UECwwPQVBJ
+U0lYX0NBX1JPT1RfMRUwEwYDVQQDDAxBUElTSVguUk9PVF8xHDAaBgkqhkiG9w0B
+CQEWDXRlc3RAdGVzdC5jb20wHhcNMjEwNTI3MTMzNjI4WhcNMjIwNTI3MTMzNjI4
+WjCBnDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
+YW5nemhvdTEYMBYGA1UECgwPQVBJU0lYLVRlc3QtQ0FfMRgwFgYDVQQLDA9BUElT
+SVhfQ0FfUk9PVF8xFTATBgNVBAMMDEFQSVNJWC5ST09UXzEcMBoGCSqGSIb3DQEJ
+ARYNdGVzdEB0ZXN0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+ALJR0lQW/IBqQTE/Oa0Pi4LlmlYUSGnqtFNqiZyOF0PjVzNeqoD9JDPiM1QRyC8p
+NCd5L/QhtUIMMx0RlDI9DkJ3ALIWdrPIZlwpveDJf4KtW7cz+ea46A6QQwB6xcyV
+xWnqEBkiea7qrEE8NakZOMjgkqkN2/9klg6XyA5FWfvszxtuIHtjcy2Kq8bMC0jd
+k7CqEZe4ct6s2wlcI8t8s9prvMDm8gcX66x4Ah+C2/W+C3lTpMDgGqRqSPyCW7na
+Wgn0tWmTSf1iybwYMydhC+zpM1QJLvfDyqjp1wJhziR5ttVe2Xc+tDC24s+u16yZ
+R93IO0M4lLNjvEKJcMltXyRzrcjvLXOhw3KirSHNL1KfrBEl74lb+DV5eU4pIFCj
+cu18gms5FBYs9tpLujwpHDc2MU+zCvRmSPvUA4yCyoXqom3uiSo3g3ymW9IM8dC8
++Bd1GdM6JbpBukvQybc5TQXo1M75I9iEoQa5tQxAfQ/dfwMjOK7skogowBouOuLv
+BEFKy3Vd57IWWZXC4p/74M6N4fGYTgHY5FQE3R4Y2phk/eaEm1jS1UPuC98QuTfL
+rGuFOIBmK5euOm8uT5m9hnrouG2ZcxEdzHYfjsGDGrLzA0FLu+wtMNBKM4NhsNCa
+d+fycLg7jgxWhaLvD5DfkV7WFQlz5LUceYIwYOyhD/chAgMBAAGjLzAtMAwGA1Ud
+EwQFMAMBAf8wHQYDVR0RBBYwFIISbXRscy5odHRwYmluLmxvY2FsMA0GCSqGSIb3
+DQEBCwUAA4ICAQCNtBmoAc5tv3H38sj9qhTmabvp9RIzZYrQSEcN+A2i3a8FVYAM
+YaugZDXDcTycoWn6rcgblUDneow3NiqZ57yYZmN+e4mE3+Q1sGepV7LoRkHDUT8w
+jAJndcZ/xxJmgH6B7dImTAPsvLGR7E7gffMH+aKCdnkG9x5Vm+cuBwSEBndiHGfr
+yw5cXO6cMUq8M6zJrk2V+1BAucXW2rgLTWy6UTTGD56cgUtbStRO6muOKoElDLbW
+mSj2rNv/evakQkV8dgKVRFgh2NQKYKpXmveMaE6xtFFf/dd9OhDFjUh/ksxn94FT
+xj/wkhXCEPl+t7tENhr2tNyLbCOVcFzqoi7IyoWKxxZQfvArfj4SmahK8E/BXB/T
+4PEmn8kZAxaW7RmGcaekm8MTqGlhCJ3tVJAI2vcYRdd9ZHbXE1jr/4xj0I/Lzglo
+O8v5fd4zHyV1SuZ5AH3XbUd7ndl9yDoN2WSqK9Nd9bws3yrf+GwjJAT1InnDvLg1
+stWM8I+9FZiDFL255/+iAN0jYcGu9i4TNvC+o6qQ1p85i1OHPJZu6wtUWMgDJN46
+uwW3ZLh9sZV6OnhbQJBQaUmcgaPJUQqbXNQmpmpc0NUjET/ltFRZ2hlyvvpf7wwF
+2DLY1HRAknQ69DuT6xpYz1aKZqrlkbCWlMMvdosOg6f7+4NxdYJ/rBeS6Q==
+-----END CERTIFICATE-----
+`
+
serverCertSecret := `server-secret`
serverCert := `-----BEGIN CERTIFICATE-----
MIIF/TCCA+WgAwIBAgIUBbUP7Gk0WAb/JhYYcBBgZEgmhbEwDQYJKoZIhvcNAQEL
@@ -118,13 +157,12 @@
w174RSQoNMc+odHxn95mxtYdYVE5PKkzgrfxqymLa5Y0LMPCpKOq4XB0paZPtrOt
k1XbogS6EYyEdbkTDdXdUENvDrU7hzJXSVxJYADiqr44DGfWm6hK0bq9ZPc=
-----END RSA PRIVATE KEY-----
`
- ginkgo.It("create an ingress resource with tls", func() {
+ ginkgo.It("should support ingress v1beta1 with tls", func() {
// create secrets
err := s.NewSecret(serverCertSecret, serverCert, serverKey)
assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret
error")
// create ingress
- //tlsName := "tls-with-client-ca"
host := "mtls.httpbin.local"
// create route
backendSvc, backendSvcPort := s.DefaultHTTPBackend()
@@ -156,8 +194,73 @@ spec:
assert.Nil(ginkgo.GinkgoT(), err, "list routes error")
assert.Len(ginkgo.GinkgoT(), apisixRoutes, 1, "route number not
expect")
+ apisixSsls, err := s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list SSLs error")
+ assert.Len(ginkgo.GinkgoT(), apisixSsls, 1, "SSL number should
be 1")
+ assert.Equal(ginkgo.GinkgoT(),
id.GenID(s.Namespace()+"_httpbin-ingress-https-tls"), apisixSsls[0].ID, "SSL
name")
+ assert.Equal(ginkgo.GinkgoT(), apisixSsls[0].Snis,
[]string{host}, "SSL configuration")
+
+ caCertPool := x509.NewCertPool()
+ ok := caCertPool.AppendCertsFromPEM([]byte(rootCA))
+ assert.True(ginkgo.GinkgoT(), ok, "Append cert to CA pool")
+
+ s.NewAPISIXHttpsClientWithCertificates(host, true, caCertPool,
[]tls.Certificate{}).
+ GET("/ip").WithHeader("Host",
host).Expect().Status(http.StatusOK)
})
+ ginkgo.It("should support ingress v1 with tls", func() {
+ // create secrets
+ err := s.NewSecret(serverCertSecret, serverCert, serverKey)
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret
error")
+
+ // create ingress
+ host := "mtls.httpbin.local"
+ // create route
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ ing := fmt.Sprintf(`
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: httpbin-ingress-https
+ annotations:
+ kubernetes.io/ingress.class: apisix
+spec:
+ tls:
+ - hosts:
+ - %s
+ secretName: %s
+ rules:
+ - host: %s
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: %s
+ port:
+ number: %d
+`, host, serverCertSecret, host, backendSvc, backendSvcPort[0])
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ing))
+ time.Sleep(10 * time.Second)
+
+ apisixRoutes, err := s.ListApisixRoutes()
+ assert.Nil(ginkgo.GinkgoT(), err, "list routes error")
+ assert.Len(ginkgo.GinkgoT(), apisixRoutes, 1, "route number not
expect")
+
+ apisixSsls, err := s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list SSLs error")
+ assert.Len(ginkgo.GinkgoT(), apisixSsls, 1, "SSL number should
be 1")
+ assert.Equal(ginkgo.GinkgoT(),
id.GenID(s.Namespace()+"_httpbin-ingress-https-tls"), apisixSsls[0].ID, "SSL
name")
+ assert.Equal(ginkgo.GinkgoT(), apisixSsls[0].Snis,
[]string{host}, "SSL configuration")
+
+ caCertPool := x509.NewCertPool()
+ ok := caCertPool.AppendCertsFromPEM([]byte(rootCA))
+ assert.True(ginkgo.GinkgoT(), ok, "Append cert to CA pool")
+
+ s.NewAPISIXHttpsClientWithCertificates(host, true, caCertPool,
[]tls.Certificate{}).
+ GET("/ip").WithHeader("Host",
host).Expect().Status(http.StatusOK)
+ })
})
var _ = ginkgo.Describe("support ingress.networking/v1", func() {
