homelab/traefik
1
0
Fork 0
Code Activity

Merge current v2.5 into master

Browse source
This commit is contained in:
Tom Moulard 2021-09-23 15:30:01 +02:00
commit 380514941c
No known key found for this signature in database
GPG key ID: 521ABE0C1A0DEAF6
35 changed files with 773 additions and 161 deletions
Download patch file Download diff file Expand all files Collapse all files

30
pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options_cross_namespace.yml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`foo.com`)
services:
- name: whoamitcp
port: 8000
tls:
options:
name: tls-options-cn
namespace: cross-ns
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tls-options-cn
namespace: cross-ns
spec:
minVersion: VersionTLS12

52
pkg/provider/kubernetes/crd/fixtures/with_cross_namespace.yml
View file

@ -9,23 +9,31 @@ spec:
- foo
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami-svc
namespace: cross-ns
port: 80
- name: tr-svc-wrr1
kind: TraefikService
- name: tr-svc-wrr2
namespace: cross-ns
kind: TraefikService
- name: tr-svc-mirror1
kind: TraefikService
- name: tr-svc-mirror2
namespace: cross-ns
kind: TraefikService
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami-svc
namespace: cross-ns
port: 80
- name: tr-svc-wrr1
kind: TraefikService
- name: tr-svc-wrr2
namespace: cross-ns
kind: TraefikService
- name: tr-svc-mirror1
kind: TraefikService
- name: tr-svc-mirror2
namespace: cross-ns
kind: TraefikService
- match: Host(`bar.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: whoami-svc
namespace: cross-ns
port: 80
serversTransport: foo-test@kubernetescrd
---
apiVersion: traefik.containo.us/v1alpha1
@ -89,3 +97,13 @@ spec:
namespace: cross-ns
percent: 20
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: test
namespace: foo
spec:
serverName: "test"

53
pkg/provider/kubernetes/crd/fixtures/with_servers_transport.yml
View file

@ -93,18 +93,53 @@ spec:
serverName: "test"
insecureSkipVerify: true
maxIdleConnsPerHost: 42
disableHTTP2: true
peerCertURI: foo://bar
rootCAsSecrets:
- root-ca0
- root-ca1
- root-ca2
- root-ca3
- root-ca4
- allcerts
- root-ca0
- root-ca1
- root-ca2
- root-ca3
- root-ca4
- allcerts
certificatesSecrets:
- mtls1
- mtls2
- allcerts
- mtls1
- mtls2
- allcerts
forwardingTimeouts:
dialTimeout: 42
responseHeaderTimeout: 42s
idleConnTimeout: 42ms
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: test
namespace: default
spec:
serverName: "test"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`foo.com`)
kind: Rule
services:
- name: external-svc-with-https
port: 443
serversTransport: test
- name: whoamitls
port: 443
serversTransport: default-test

29
pkg/provider/kubernetes/crd/fixtures/with_servers_transport_cross_namespace.yml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami
port: 80
serversTransport: cross-ns-st-cross-ns@kubernetescrd
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: st-cross-ns
namespace: cross-ns
spec:
disableHTTP2: true

31
pkg/provider/kubernetes/crd/fixtures/with_tls_options_cross_namespace.yml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami
port: 80
tls:
options:
name: tls-options-cn
namespace: cross-ns
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tls-options-cn
namespace: cross-ns
spec:
minVersion: VersionTLS12

5
pkg/provider/kubernetes/crd/kubernetes.go
View file

@ -341,13 +341,16 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
}
}
conf.HTTP.ServersTransports[serversTransport.Name] = &dynamic.ServersTransport{
id := provider.Normalize(makeID(serversTransport.Namespace, serversTransport.Name))
conf.HTTP.ServersTransports[id] = &dynamic.ServersTransport{
ServerName: serversTransport.Spec.ServerName,
InsecureSkipVerify: serversTransport.Spec.InsecureSkipVerify,
RootCAs: rootCAs,
Certificates: certs,
DisableHTTP2: serversTransport.Spec.DisableHTTP2,
MaxIdleConnsPerHost: serversTransport.Spec.MaxIdleConnsPerHost,
ForwardingTimeouts: forwardingTimeout,
PeerCertURI: serversTransport.Spec.PeerCertURI,
}
}

44
pkg/provider/kubernetes/crd/kubernetes_http.go
View file

@ -104,7 +104,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
}
}
conf.Routers[normalized] = &dynamic.Router{
r := &dynamic.Router{
Middlewares: mds,
Priority: route.Priority,
EntryPoints: ingressRoute.Spec.EntryPoints,
@ -113,7 +113,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
}
if ingressRoute.Spec.TLS != nil {
tlsConf := &dynamic.RouterTLSConfig{
r.TLS = &dynamic.RouterTLSConfig{
CertResolver: ingressRoute.Spec.TLS.CertResolver,
Domains: ingressRoute.Spec.TLS.Domains,
}
@ -129,14 +129,21 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
tlsOptionsName = makeID(ns, tlsOptionsName)
} else if len(ns) > 0 {
logger.
WithField("TLSoptions", ingressRoute.Spec.TLS.Options.Name).
Warnf("namespace %q is ignored in cross-provider context", ns)
WithField("TLSOption", ingressRoute.Spec.TLS.Options.Name).
Warnf("Namespace %q is ignored in cross-provider context", ns)
}
tlsConf.Options = tlsOptionsName
if !isNamespaceAllowed(p.AllowCrossNamespace, ingressRoute.Namespace, ns) {
logger.Errorf("TLSOption %s/%s is not in the IngressRoute namespace %s",
ns, ingressRoute.Spec.TLS.Options.Name, ingressRoute.Namespace)
continue
}
r.TLS.Options = tlsOptionsName
}
conf.Routers[normalized].TLS = tlsConf
}
conf.Routers[normalized] = r
}
}
@ -297,11 +304,34 @@ func (c configBuilder) buildServersLB(namespace string, svc v1alpha1.LoadBalance
lb.ResponseForwarding = conf.ResponseForwarding
lb.Sticky = svc.Sticky
lb.ServersTransport = svc.ServersTransport
lb.ServersTransport, err = c.makeServersTransportKey(namespace, svc.ServersTransport)
if err != nil {
return nil, err
}
return &dynamic.Service{LoadBalancer: lb}, nil
}
func (c *configBuilder) makeServersTransportKey(parentNamespace string, serversTransportName string) (string, error) {
if serversTransportName == "" {
return "", nil
}
if !c.allowCrossNamespace && strings.HasSuffix(serversTransportName, providerNamespaceSeparator+providerName) {
// Since we are not able to know if another namespace is in the name (namespace-name@kubernetescrd),
// if the provider namespace kubernetescrd is used,
// we don't allow this format to avoid cross namespace references.
return "", fmt.Errorf("invalid reference to serversTransport %s: namespace-name@kubernetescrd format is not allowed when crossnamespace is disallowed", serversTransportName)
}
if strings.Contains(serversTransportName, providerNamespaceSeparator) {
return serversTransportName, nil
}
return provider.Normalize(makeID(parentNamespace, serversTransportName)), nil
}
func (c configBuilder) loadServers(parentNamespace string, svc v1alpha1.LoadBalancerSpec) ([]dynamic.Server, error) {
strategy := svc.Strategy
if strategy == "" {

44
pkg/provider/kubernetes/crd/kubernetes_tcp.go
View file

@ -93,7 +93,7 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
conf.Services[serviceName].Weighted.Services = append(conf.Services[serviceName].Weighted.Services, srv)
}
conf.Routers[serviceName] = &dynamic.TCPRouter{
r := &dynamic.TCPRouter{
EntryPoints: ingressRouteTCP.Spec.EntryPoints,
Middlewares: mds,
Rule: route.Match,
@ -101,32 +101,38 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
}
if ingressRouteTCP.Spec.TLS != nil {
conf.Routers[serviceName].TLS = &dynamic.RouterTCPTLSConfig{
r.TLS = &dynamic.RouterTCPTLSConfig{
Passthrough: ingressRouteTCP.Spec.TLS.Passthrough,
CertResolver: ingressRouteTCP.Spec.TLS.CertResolver,
Domains: ingressRouteTCP.Spec.TLS.Domains,
}
if ingressRouteTCP.Spec.TLS.Options == nil || len(ingressRouteTCP.Spec.TLS.Options.Name) == 0 {
continue
}
tlsOptionsName := ingressRouteTCP.Spec.TLS.Options.Name
// Is a Kubernetes CRD reference (i.e. not a cross-provider reference)
ns := ingressRouteTCP.Spec.TLS.Options.Namespace
if !strings.Contains(tlsOptionsName, "@") {
if len(ns) == 0 {
ns = ingressRouteTCP.Namespace
if ingressRouteTCP.Spec.TLS.Options != nil && len(ingressRouteTCP.Spec.TLS.Options.Name) > 0 {
tlsOptionsName := ingressRouteTCP.Spec.TLS.Options.Name
// Is a Kubernetes CRD reference (i.e. not a cross-provider reference)
ns := ingressRouteTCP.Spec.TLS.Options.Namespace
if !strings.Contains(tlsOptionsName, providerNamespaceSeparator) {
if len(ns) == 0 {
ns = ingressRouteTCP.Namespace
}
tlsOptionsName = makeID(ns, tlsOptionsName)
} else if len(ns) > 0 {
logger.
WithField("TLSOption", ingressRouteTCP.Spec.TLS.Options.Name).
Warnf("Namespace %q is ignored in cross-provider context", ns)
}
tlsOptionsName = makeID(ns, tlsOptionsName)
} else if len(ns) > 0 {
logger.
WithField("TLSoptions", ingressRouteTCP.Spec.TLS.Options.Name).
Warnf("namespace %q is ignored in cross-provider context", ns)
}
conf.Routers[serviceName].TLS.Options = tlsOptionsName
if !isNamespaceAllowed(p.AllowCrossNamespace, ingressRouteTCP.Namespace, ns) {
logger.Errorf("TLSOption %s/%s is not in the IngressRouteTCP namespace %s",
ns, ingressRouteTCP.Spec.TLS.Options.Name, ingressRouteTCP.Namespace)
continue
}
r.TLS.Options = tlsOptionsName
}
}
conf.Routers[serviceName] = r
}
}

396
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

@ -1332,10 +1332,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
func TestLoadIngressRoutes(t *testing.T) {
testCases := []struct {
desc string
ingressClass string
paths []string
expected *dynamic.Configuration
desc string
ingressClass string
paths []string
expected *dynamic.Configuration
AllowCrossNamespace bool
}{
{
desc: "Empty",
@ -1402,8 +1403,9 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
{
desc: "Simple Ingress Route with middleware",
paths: []string{"services.yml", "with_middleware.yml"},
desc: "Simple Ingress Route with middleware",
AllowCrossNamespace: true,
paths: []string{"services.yml", "with_middleware.yml"},
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
@ -1457,8 +1459,9 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
{
desc: "Simple Ingress Route with middleware crossprovider",
paths: []string{"services.yml", "with_middleware_crossprovider.yml"},
desc: "Simple Ingress Route with middleware crossprovider",
AllowCrossNamespace: true,
paths: []string{"services.yml", "with_middleware_crossprovider.yml"},
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
@ -2026,8 +2029,9 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
{
desc: "services lb, servers lb, and mirror service, all in a wrr with different namespaces",
paths: []string{"with_namespaces.yml"},
desc: "services lb, servers lb, and mirror service, all in a wrr with different namespaces",
AllowCrossNamespace: true,
paths: []string{"with_namespaces.yml"},
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
@ -2730,8 +2734,9 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
{
desc: "TLS with tls options and specific namespace",
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
desc: "TLS with tls options and specific namespace",
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
AllowCrossNamespace: true,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
@ -2924,8 +2929,9 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
{
desc: "TLS with unknown tls options namespace",
paths: []string{"services.yml", "with_unknown_tls_options_namespace.yml"},
desc: "TLS with unknown tls options namespace",
paths: []string{"services.yml", "with_unknown_tls_options_namespace.yml"},
AllowCrossNamespace: true,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
@ -3497,7 +3503,7 @@ func TestLoadIngressRoutes(t *testing.T) {
},
HTTP: &dynamic.HTTPConfiguration{
ServersTransports: map[string]*dynamic.ServersTransport{
"test": {
"foo-test": {
ServerName: "test",
InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{"TESTROOTCAS0", "TESTROOTCAS1", "TESTROOTCAS2", "TESTROOTCAS3", "TESTROOTCAS5", "TESTALLCERTS"},
@ -3507,16 +3513,71 @@ func TestLoadIngressRoutes(t *testing.T) {
{CertFile: "TESTCERT3", KeyFile: "TESTKEY3"},
},
MaxIdleConnsPerHost: 42,
DisableHTTP2: true,
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: types.Duration(42 * time.Second),
ResponseHeaderTimeout: types.Duration(42 * time.Second),
IdleConnTimeout: types.Duration(42 * time.Millisecond),
},
PeerCertURI: "foo://bar",
},
"default-test": {
ServerName: "test",
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: types.Duration(30 * time.Second),
IdleConnTimeout: types.Duration(90 * time.Second),
},
},
},
Routers: map[string]*dynamic.Router{
"default-test-route-6f97418635c7e18853da": {
EntryPoints: []string{"foo"},
Service: "default-test-route-6f97418635c7e18853da",
Rule: "Host(`foo.com`)",
},
},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Services: map[string]*dynamic.Service{
"default-external-svc-with-https-443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://external.domain:443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "default-test",
},
},
"default-whoamitls-443": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://10.10.0.5:8443",
},
{
URL: "https://10.10.0.6:8443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "default-default-test",
},
},
"default-test-route-6f97418635c7e18853da": {
Weighted: &dynamic.WeightedRoundRobin{
Services: []dynamic.WRRService{
{
Name: "default-external-svc-with-https-443",
Weight: Int(1),
},
{
Name: "default-whoamitls-443",
Weight: Int(1),
},
},
},
},
},
},
TLS: &dynamic.TLSConfiguration{},
},
@ -3532,7 +3593,7 @@ func TestLoadIngressRoutes(t *testing.T) {
return
}
p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true, AllowExternalNameServices: true}
p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: test.AllowCrossNamespace, AllowExternalNameServices: true}
clientMock := newClientMock(test.paths...)
conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@ -4474,6 +4535,11 @@ func TestCrossNamespace(t *testing.T) {
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
},
"default-cross-ns-route-1bc3efa892379bb93c6e": {
EntryPoints: []string{"foo"},
Service: "default-cross-ns-route-1bc3efa892379bb93c6e",
Rule: "Host(`bar.com`) && PathPrefix(`/foo`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
@ -4503,6 +4569,20 @@ func TestCrossNamespace(t *testing.T) {
},
},
},
"default-cross-ns-route-1bc3efa892379bb93c6e": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
ServersTransport: "foo-test@kubernetescrd",
},
},
"cross-ns-whoami-svc-80": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
@ -4647,6 +4727,189 @@ func TestCrossNamespace(t *testing.T) {
TLS: &dynamic.TLSConfiguration{},
},
},
{
desc: "HTTP ServersTransport cross namespace allowed",
paths: []string{"services.yml", "with_servers_transport_cross_namespace.yml"},
allowCrossNamespace: true,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"default-test-route-6b204d94623b3df4370c": {
EntryPoints: []string{"foo"},
Service: "default-test-route-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
ServersTransport: "cross-ns-st-cross-ns@kubernetescrd",
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{
"cross-ns-st-cross-ns": {
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: 30000000000,
ResponseHeaderTimeout: 0,
IdleConnTimeout: 90000000000,
},
DisableHTTP2: true,
},
},
},
TLS: &dynamic.TLSConfiguration{},
},
},
{
desc: "HTTP ServersTransport cross namespace disallowed",
paths: []string{"services.yml", "with_servers_transport_cross_namespace.yml"},
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{
"cross-ns-st-cross-ns": {
ForwardingTimeouts: &dynamic.ForwardingTimeouts{
DialTimeout: 30000000000,
ResponseHeaderTimeout: 0,
IdleConnTimeout: 90000000000,
},
DisableHTTP2: true,
},
},
},
TLS: &dynamic.TLSConfiguration{},
},
},
{
desc: "HTTP TLSOption cross namespace allowed",
paths: []string{"services.yml", "with_tls_options_cross_namespace.yml"},
allowCrossNamespace: true,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"default-test-route-6b204d94623b3df4370c": {
EntryPoints: []string{"foo"},
Service: "default-test-route-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &dynamic.RouterTLSConfig{
Options: "cross-ns-tls-options-cn",
},
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
},
},
},
},
},
{
desc: "HTTP TLSOption cross namespace disallowed",
paths: []string{"services.yml", "with_tls_options_cross_namespace.yml"},
allowCrossNamespace: false,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
},
},
},
},
},
{
desc: "TCP middleware cross namespace disallowed",
paths: []string{"tcp/services.yml", "tcp/with_middleware_with_cross_namespace.yml"},
@ -4843,6 +5106,101 @@ func TestCrossNamespace(t *testing.T) {
TLS: &dynamic.TLSConfiguration{},
},
},
{
desc: "TCP TLSOption cross namespace allowed",
paths: []string{"tcp/services.yml", "tcp/with_tls_options_cross_namespace.yml"},
allowCrossNamespace: true,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &dynamic.RouterTCPTLSConfig{
Options: "cross-ns-tls-options-cn",
},
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
"default-test.route-fdd3e9338e47a45efefc": {
LoadBalancer: &dynamic.TCPServersLoadBalancer{
Servers: []dynamic.TCPServer{
{
Address: "10.10.0.1:8000",
},
{
Address: "10.10.0.2:8000",
},
},
},
},
},
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
},
},
},
},
},
{
desc: "TCP TLSOption cross namespace disallowed",
paths: []string{"tcp/services.yml", "tcp/with_tls_options_cross_namespace.yml"},
allowCrossNamespace: false,
expected: &dynamic.Configuration{
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
Services: map[string]*dynamic.TCPService{
"default-test.route-fdd3e9338e47a45efefc": {
LoadBalancer: &dynamic.TCPServersLoadBalancer{
Servers: []dynamic.TCPServer{
{
Address: "10.10.0.1:8000",
},
{
Address: "10.10.0.2:8000",
},
},
},
},
},
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
},
},
},
},
},
{
desc: "UDP cross namespace allowed",
paths: []string{"udp/services.yml", "udp/with_cross_namespace.yml"},
@ -4949,6 +5307,8 @@ func TestCrossNamespace(t *testing.T) {
crdObjects = append(crdObjects, o)
case *v1alpha1.TLSStore:
crdObjects = append(crdObjects, o)
case *v1alpha1.ServersTransport:
crdObjects = append(crdObjects, o)
default:
}
}