diff --git a/pkg/controller/certificate-shim/sync.go b/pkg/controller/certificate-shim/sync.go index 11bf4863b..5010cd479 100644 --- a/pkg/controller/certificate-shim/sync.go +++ b/pkg/controller/certificate-shim/sync.go @@ -322,6 +322,11 @@ func buildCertificates( } case *gwapi.Gateway: for i, l := range ingLike.Spec.Listeners { + // TLS is only supported for a limited set of protocol types: https://gateway-api.sigs.k8s.io/guides/tls/#listeners-and-tls + if l.Protocol != gwapi.HTTPSProtocolType && l.Protocol != gwapi.TLSProtocolType { + continue + } + err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l, ingLike).ToAggregate() if err != nil { rec.Eventf(ingLike, corev1.EventTypeWarning, reasonBadConfig, "Skipped a listener block: "+err.Error()) diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index a7312391c..de1231409 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -1680,7 +1680,7 @@ func TestSync(t *testing.T) { testGatewayShim := []testT{ { - Name: "return a single Certificate for a Gateway with a single valid TLS entry and common-name annotation", + Name: "return a single Certificate for a Gateway with a single valid TLS entry and common-name annotation (HTTPS)", Issuer: acmeClusterIssuer, IngressLike: &gwapi.Gateway{ ObjectMeta: metav1.ObjectMeta{ @@ -1701,7 +1701,69 @@ func TestSync(t *testing.T) { { Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, + TLS: &gwapi.GatewayTLSConfig{ + Mode: ptrMode(gwapi.TLSModeTerminate), + CertificateRefs: []gwapi.SecretObjectReference{ + { + Group: func() *gwapi.Group { g := gwapi.Group("core"); return &g }(), + Kind: func() *gwapi.Kind { k := gwapi.Kind("Secret"); return &k }(), + Name: "example-com-tls", + }, + }, + }, + }, + }, + }, + }, + ClusterIssuerLister: []runtime.Object{acmeClusterIssuer}, + ExpectedEvents: []string{`Normal CreateCertificate Successfully created Certificate "example-com-tls"`}, + ExpectedCreate: []*cmapi.Certificate{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "example-com-tls", + Namespace: gen.DefaultTestNamespace, + Labels: map[string]string{ + "my-test-label": "should be copied", + }, + OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + }, + Spec: cmapi.CertificateSpec{ + DNSNames: []string{"example.com"}, + CommonName: "my-cn", + SecretName: "example-com-tls", + IssuerRef: cmmeta.ObjectReference{ + Name: "issuer-name", + Kind: "ClusterIssuer", + }, + Usages: cmapi.DefaultKeyUsages(), + }, + }, + }, + }, + { + Name: "return a single Certificate for a Gateway with a single valid TLS entry and common-name annotation (TLS)", + Issuer: acmeClusterIssuer, + IngressLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "gateway-name", + Namespace: gen.DefaultTestNamespace, + Labels: map[string]string{ + "my-test-label": "should be copied", + }, + Annotations: map[string]string{ + cmapi.IngressClusterIssuerNameAnnotationKey: "issuer-name", + cmapi.CommonNameAnnotationKey: "my-cn", + }, + UID: types.UID("gateway-name"), + }, + Spec: gwapi.GatewaySpec{ + GatewayClassName: "test-gateway", + Listeners: []gwapi.Listener{ + { + Hostname: ptrHostname("example.com"), + Port: 443, + Protocol: gwapi.TLSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -1762,7 +1824,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -1825,7 +1887,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -1884,7 +1946,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -1937,7 +1999,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -1991,7 +2053,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2048,7 +2110,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2100,7 +2162,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2156,7 +2218,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2193,7 +2255,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2207,7 +2269,7 @@ func TestSync(t *testing.T) { }, { Hostname: nil, // 🔥 Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2262,7 +2324,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{}, @@ -2270,7 +2332,7 @@ func TestSync(t *testing.T) { }, { Hostname: ptrHostname("www.example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2334,7 +2396,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2388,7 +2450,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2450,7 +2512,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2528,7 +2590,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2580,7 +2642,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2684,7 +2746,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2759,7 +2821,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2773,7 +2835,7 @@ func TestSync(t *testing.T) { }, { Hostname: ptrHostname("www.example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2787,7 +2849,7 @@ func TestSync(t *testing.T) { }, { Hostname: ptrHostname("foo.example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2844,7 +2906,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("foo.example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2858,7 +2920,7 @@ func TestSync(t *testing.T) { }, { Hostname: ptrHostname("bar.example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2933,7 +2995,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{ @@ -2971,7 +3033,7 @@ func TestSync(t *testing.T) { Listeners: []gwapi.Listener{{ Hostname: ptrHostname("example.com"), Port: 443, - Protocol: "HTTPS", + Protocol: gwapi.HTTPSProtocolType, TLS: &gwapi.GatewayTLSConfig{ Mode: ptrMode(gwapi.TLSModeTerminate), CertificateRefs: []gwapi.SecretObjectReference{