Skip to content

Commit

Permalink
Default TLS certificate shouldn't be applied to cluster local routes
Browse files Browse the repository at this point in the history
  • Loading branch information
@dprotaso
dprotaso committed Jul 8, 2024
1 parent 80ccaca commit 5e96a65
Show file tree
Hide file tree
Showing 2 changed files with 107 additions and 15 deletions.
10 changes: 5 additions & 5 deletions pkg/reconciler/contour/resources/httpproxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,13 +123,13 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc

proxies := []*v1.HTTPProxy{}
for _, rule := range ing.Spec.Rules {
class := config.FromContext(ctx).Contour.VisibilityClasses[rule.Visibility]
class := cfg.Contour.VisibilityClasses[rule.Visibility]

routes := make([]v1.Route, 0, len(rule.HTTP.Paths))
for _, path := range rule.HTTP.Paths {
top := &v1.TimeoutPolicy{
Response: config.FromContext(ctx).Contour.TimeoutPolicyResponse,
Idle: config.FromContext(ctx).Contour.TimeoutPolicyIdle,
Response: cfg.Contour.TimeoutPolicyResponse,
Idle: cfg.Contour.TimeoutPolicyIdle,
}

// By default retry on connection problems twice.
Expand Down Expand Up @@ -299,7 +299,7 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc

// Ideally these would just be marked ClusterLocal :(
if strings.HasSuffix(originalHost, network.GetClusterDomainName()) {
class = config.FromContext(ctx).Contour.VisibilityClasses[v1alpha1.IngressVisibilityClusterLocal]
class = cfg.Contour.VisibilityClasses[v1alpha1.IngressVisibilityClusterLocal]
hostProxy.Annotations[ClassKey] = class
hostProxy.Labels[ClassKey] = class
}
Expand Down Expand Up @@ -334,7 +334,7 @@ func MakeHTTPProxies(ctx context.Context, ing *v1alpha1.Ingress, serviceToProtoc
hostProxy.Spec.VirtualHost.TLS = &v1.TLS{
SecretName: fmt.Sprintf("%s/%s", tls.SecretNamespace, tls.SecretName),
}
} else if s := config.FromContext(ctx).Contour.DefaultTLSSecret; s != nil {
} else if s := cfg.Contour.DefaultTLSSecret; s != nil && rule.Visibility == v1alpha1.IngressVisibilityExternalIP {
hostProxy.Spec.VirtualHost.TLS = &v1.TLS{SecretName: s.String()}
}

Expand Down
112 changes: 102 additions & 10 deletions pkg/reconciler/contour/resources/httpproxy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -970,9 +970,6 @@ func TestMakeProxies(t *testing.T) {
Spec: v1.HTTPProxySpec{
VirtualHost: &v1.VirtualHost{
Fqdn: "bar.foo",
TLS: &v1.TLS{
SecretName: "foo/bar",
},
},
Routes: []v1.Route{{
EnableWebsockets: true,
Expand Down Expand Up @@ -1055,9 +1052,6 @@ func TestMakeProxies(t *testing.T) {
Spec: v1.HTTPProxySpec{
VirtualHost: &v1.VirtualHost{
Fqdn: "bar.foo.svc",
TLS: &v1.TLS{
SecretName: "foo/bar",
},
},
Routes: []v1.Route{{
EnableWebsockets: true,
Expand Down Expand Up @@ -1140,9 +1134,6 @@ func TestMakeProxies(t *testing.T) {
Spec: v1.HTTPProxySpec{
VirtualHost: &v1.VirtualHost{
Fqdn: "bar.foo.svc.cluster.local",
TLS: &v1.TLS{
SecretName: "foo/bar",
},
},
Routes: []v1.Route{{
EnableWebsockets: true,
Expand Down Expand Up @@ -1392,6 +1383,25 @@ func TestMakeProxies(t *testing.T) {
}},
}},
},
}, {
Hosts: []string{
"hello.default",
},
Visibility: v1alpha1.IngressVisibilityClusterLocal,
HTTP: &v1alpha1.HTTPIngressRuleValue{
Paths: []v1alpha1.HTTPIngressPath{{
Splits: []v1alpha1.IngressBackendSplit{{
IngressBackend: v1alpha1.IngressBackend{
ServiceName: "goo",
ServicePort: intstr.FromInt(123),
},
Percent: 100,
AppendHeaders: map[string]string{
"Baz": "blah",
},
}},
}},
},
}},
},
},
Expand Down Expand Up @@ -1440,7 +1450,89 @@ func TestMakeProxies(t *testing.T) {
RequestHeadersPolicy: &v1.HeadersPolicy{
Set: []v1.HeaderValue{{
Name: "K-Network-Hash",
Value: "225764a7e90e21a05c0591ed9ec9f82f7014ce34f3293ecee049ed44c3ab9eb1",
Value: "1767beffd53ed097be2cf345709d9b65a8b09943196418e59d82ecf48b562e97",
}},
},
Services: []v1.Service{{
Name: "goo",
Protocol: &protocol,
Port: 123,
Weight: 100,
RequestHeadersPolicy: &v1.HeadersPolicy{
Set: []v1.HeaderValue{{
Name: "Baz",
Value: "blah",
}},
},
}},
}, {
EnableWebsockets: true,
PermitInsecure: true,
TimeoutPolicy: &v1.TimeoutPolicy{
Response: "infinity",
Idle: "infinity",
},
RetryPolicy: defaultRetryPolicy(),
RequestHeadersPolicy: &v1.HeadersPolicy{
Set: []v1.HeaderValue{},
},
Services: []v1.Service{{
Name: "goo",
Protocol: &protocol,
Port: 123,
Weight: 100,
RequestHeadersPolicy: &v1.HeadersPolicy{
Set: []v1.HeaderValue{{
Name: "Baz",
Value: "blah",
}},
},
}},
}},
},
}, {
ObjectMeta: metav1.ObjectMeta{
Namespace: "foo",
Name: "bar-" + privateClass + "-hello.default",
Labels: map[string]string{
DomainHashKey: "b8a521823106d27dcc64898df9d4bab6ad322938",
GenerationKey: "0",
ParentKey: "bar",
ClassKey: privateClass,
},
Annotations: map[string]string{
ClassKey: privateClass,
},
OwnerReferences: []metav1.OwnerReference{{
APIVersion: "networking.internal.knative.dev/v1alpha1",
Kind: "Ingress",
Name: "bar",
Controller: ptr.Bool(true),
BlockOwnerDeletion: ptr.Bool(true),
}},
},
Spec: v1.HTTPProxySpec{
VirtualHost: &v1.VirtualHost{
Fqdn: "hello.default",
},
Routes: []v1.Route{{
EnableWebsockets: true,
PermitInsecure: true,
TimeoutPolicy: &v1.TimeoutPolicy{
Response: "infinity",
Idle: "infinity",
},
RetryPolicy: defaultRetryPolicy(),
Conditions: []v1.MatchCondition{{
Header: &v1.HeaderMatchCondition{
Name: "K-Network-Hash",
Exact: "override",
},
}},
RequestHeadersPolicy: &v1.HeadersPolicy{
Set: []v1.HeaderValue{{
Name: "K-Network-Hash",
Value: "1767beffd53ed097be2cf345709d9b65a8b09943196418e59d82ecf48b562e97",
}},
},
Services: []v1.Service{{
Expand Down

0 comments on commit 5e96a65

Please sign in to comment.