weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6347 from lauraseidler/fix/gateway-warning-http

Browse Source 
Do not process Gateway listeners that do not support TLS
This commit is contained in:
jetstack-bot 2023-11-17 16:18:19 +01:00 committed by GitHub
commit c9e028f3db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 94 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/controller/certificate-shim/sync.go
View File

@ -322,6 +322,11 @@ func buildCertificates(
}
case *gwapi.Gateway:
for i, l := range ingLike.Spec.Listeners {
// TLS is only supported for a limited set of protocol types: https://gateway-api.sigs.k8s.io/guides/tls/#listeners-and-tls
if l.Protocol != gwapi.HTTPSProtocolType && l.Protocol != gwapi.TLSProtocolType {
continue
}
err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l, ingLike).ToAggregate()
if err != nil {
rec.Eventf(ingLike, corev1.EventTypeWarning, reasonBadConfig, "Skipped a listener block: "+err.Error())

116
pkg/controller/certificate-shim/sync_test.go
View File

@ -1680,7 +1680,7 @@ func TestSync(t *testing.T) {
testGatewayShim := []testT{
{
Name: "return a single Certificate for a Gateway with a single valid TLS entry and common-name annotation",
Name: "return a single Certificate for a Gateway with a single valid TLS entry and common-name annotation (HTTPS)",
Issuer: acmeClusterIssuer,
IngressLike: &gwapi.Gateway{
ObjectMeta: metav1.ObjectMeta{
@ -1701,7 +1701,69 @@ func TestSync(t *testing.T) {
{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
{
Group: func() *gwapi.Group { g := gwapi.Group("core"); return &g }(),
Kind: func() *gwapi.Kind { k := gwapi.Kind("Secret"); return &k }(),
Name: "example-com-tls",
},
},
},
},
},
},
},
ClusterIssuerLister: []runtime.Object{acmeClusterIssuer},
ExpectedEvents: []string{`Normal CreateCertificate Successfully created Certificate "example-com-tls"`},
ExpectedCreate: []*cmapi.Certificate{
{
ObjectMeta: metav1.ObjectMeta{
Name: "example-com-tls",
Namespace: gen.DefaultTestNamespace,
Labels: map[string]string{
"my-test-label": "should be copied",
},
OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace),
},
Spec: cmapi.CertificateSpec{
DNSNames: []string{"example.com"},
CommonName: "my-cn",
SecretName: "example-com-tls",
IssuerRef: cmmeta.ObjectReference{
Name: "issuer-name",
Kind: "ClusterIssuer",
},
Usages: cmapi.DefaultKeyUsages(),
},
},
},
},
{
Name: "return a single Certificate for a Gateway with a single valid TLS entry and common-name annotation (TLS)",
Issuer: acmeClusterIssuer,
IngressLike: &gwapi.Gateway{
ObjectMeta: metav1.ObjectMeta{
Name: "gateway-name",
Namespace: gen.DefaultTestNamespace,
Labels: map[string]string{
"my-test-label": "should be copied",
},
Annotations: map[string]string{
cmapi.IngressClusterIssuerNameAnnotationKey: "issuer-name",
cmapi.CommonNameAnnotationKey: "my-cn",
},
UID: types.UID("gateway-name"),
},
Spec: gwapi.GatewaySpec{
GatewayClassName: "test-gateway",
Listeners: []gwapi.Listener{
{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: gwapi.TLSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -1762,7 +1824,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -1825,7 +1887,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -1884,7 +1946,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -1937,7 +1999,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -1991,7 +2053,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2048,7 +2110,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2100,7 +2162,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2156,7 +2218,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2193,7 +2255,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2207,7 +2269,7 @@ func TestSync(t *testing.T) {
}, {
Hostname: nil, // 🔥
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2262,7 +2324,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{},
@ -2270,7 +2332,7 @@ func TestSync(t *testing.T) {
}, {
Hostname: ptrHostname("www.example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2334,7 +2396,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2388,7 +2450,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2450,7 +2512,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2528,7 +2590,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2580,7 +2642,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2684,7 +2746,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2759,7 +2821,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2773,7 +2835,7 @@ func TestSync(t *testing.T) {
}, {
Hostname: ptrHostname("www.example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2787,7 +2849,7 @@ func TestSync(t *testing.T) {
}, {
Hostname: ptrHostname("foo.example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2844,7 +2906,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("foo.example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2858,7 +2920,7 @@ func TestSync(t *testing.T) {
}, {
Hostname: ptrHostname("bar.example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2933,7 +2995,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{
@ -2971,7 +3033,7 @@ func TestSync(t *testing.T) {
Listeners: []gwapi.Listener{{
Hostname: ptrHostname("example.com"),
Port: 443,
Protocol: "HTTPS",
Protocol: gwapi.HTTPSProtocolType,
TLS: &gwapi.GatewayTLSConfig{
Mode: ptrMode(gwapi.TLSModeTerminate),
CertificateRefs: []gwapi.SecretObjectReference{