homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Define a TLS section to group TLS, TLSOptions, and TLSStores.

Browse source 
Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>
This commit is contained in:
Ludovic Fernandez 2019-06-27 23:58:03 +02:00 committed by Traefiker Bot
parent c9b2a07bc7
commit 4245096be4
52 changed files with 717 additions and 628 deletions
Download patch file Download diff file Expand all files Collapse all files

38
pkg/provider/kubernetes/crd/kubernetes.go
View file

@ -293,14 +293,14 @@ func loadServers(client Client, namespace string, svc v1alpha1.Service) ([]confi
return servers, nil
}
func buildTLSOptions(ctx context.Context, client Client) map[string]tls.TLS {
func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options {
tlsOptionsCRD := client.GetTLSOptions()
var tlsOptions map[string]tls.TLS
var tlsOptions map[string]tls.Options
if len(tlsOptionsCRD) == 0 {
return tlsOptions
}
tlsOptions = make(map[string]tls.TLS)
tlsOptions = make(map[string]tls.Options)
for _, tlsOption := range tlsOptionsCRD {
logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
@ -327,7 +327,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.TLS {
clientCAs = append(clientCAs, tls.FileOrContent(cert))
}
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.TLS{
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
MinVersion: tlsOption.Spec.MinVersion,
CipherSuites: tlsOption.Spec.CipherSuites,
ClientCA: tls.ClientCA{
@ -340,7 +340,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.TLS {
return tlsOptions
}
func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.Configuration) *config.HTTPConfiguration {
func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *config.HTTPConfiguration {
conf := &config.HTTPConfiguration{
Routers: map[string]*config.Router{},
Middlewares: map[string]*config.Middleware{},
@ -465,7 +465,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
return conf
}
func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.Configuration) *config.TCPConfiguration {
func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *config.TCPConfiguration {
conf := &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -565,12 +565,14 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
}
func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client) *config.Configuration {
tlsConfigs := make(map[string]*tls.Configuration)
tlsConfigs := make(map[string]*tls.CertAndStores)
conf := &config.Configuration{
HTTP: p.loadIngressRouteConfiguration(ctx, client, tlsConfigs),
TCP: p.loadIngressRouteTCPConfiguration(ctx, client, tlsConfigs),
TLSOptions: buildTLSOptions(ctx, client),
TLS: getTLSConfig(tlsConfigs),
HTTP: p.loadIngressRouteConfiguration(ctx, client, tlsConfigs),
TCP: p.loadIngressRouteTCPConfiguration(ctx, client, tlsConfigs),
TLS: &config.TLSConfiguration{
Certificates: getTLSConfig(tlsConfigs),
Options: buildTLSOptions(ctx, client),
},
}
for _, middleware := range client.GetMiddlewares() {
@ -604,7 +606,7 @@ func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bo
(len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass)
}
func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sClient Client, tlsConfigs map[string]*tls.Configuration) error {
func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
if ingressRoute.Spec.TLS == nil {
return nil
}
@ -626,7 +628,7 @@ func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sCli
return nil
}
func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sClient Client, tlsConfigs map[string]*tls.Configuration) error {
func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
if ingressRoute.Spec.TLS == nil {
return nil
}
@ -648,7 +650,7 @@ func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sC
return nil
}
func getTLS(k8sClient Client, secretName, namespace string) (*tls.Configuration, error) {
func getTLS(k8sClient Client, secretName, namespace string) (*tls.CertAndStores, error) {
secret, exists, err := k8sClient.GetSecret(namespace, secretName)
if err != nil {
return nil, fmt.Errorf("failed to fetch secret %s/%s: %v", namespace, secretName, err)
@ -662,22 +664,22 @@ func getTLS(k8sClient Client, secretName, namespace string) (*tls.Configuration,
return nil, err
}
return &tls.Configuration{
Certificate: &tls.Certificate{
return &tls.CertAndStores{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key),
},
}, nil
}
func getTLSConfig(tlsConfigs map[string]*tls.Configuration) []*tls.Configuration {
func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
var secretNames []string
for secretName := range tlsConfigs {
secretNames = append(secretNames, secretName)
}
sort.Strings(secretNames)
var configs []*tls.Configuration
var configs []*tls.CertAndStores
for _, secretName := range secretNames {
configs = append(configs, tlsConfigs[secretName])
}

241
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

@ -31,6 +31,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -67,6 +68,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
},
},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -122,6 +124,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -165,6 +168,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -181,6 +185,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -196,6 +201,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -211,17 +217,20 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
desc: "TLS",
paths: []string{"tcp/services.yml", "tcp/with_tls.yml"},
expected: &config.Configuration{
TLS: []*tls.Configuration{
{
Certificate: &tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
TLS: &config.TLSConfiguration{
Certificates: []*tls.CertAndStores{
{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
},
},
},
},
@ -295,27 +304,30 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
desc: "TLS with tls options",
paths: []string{"tcp/services.yml", "tcp/with_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
Optional: true,
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
@ -357,21 +369,23 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
desc: "TLS with tls options and specific namespace",
paths: []string{"tcp/services.yml", "tcp/with_tls_options_and_specific_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"myns/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"myns/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
Optional: true,
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
@ -413,20 +427,22 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
desc: "TLS with bad tls options",
paths: []string{"tcp/services.yml", "tcp/with_bad_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
Optional: true,
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
@ -468,9 +484,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
desc: "TLS with unknown tls options",
paths: []string{"tcp/services.yml", "tcp/with_unknown_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
},
TCP: &config.TCPConfiguration{
@ -512,9 +530,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
desc: "TLS with unknown tls options namespace",
paths: []string{"tcp/services.yml", "tcp/with_unknown_tls_options_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
},
TCP: &config.TCPConfiguration{
@ -587,6 +607,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
}
@ -627,6 +648,7 @@ func TestLoadIngressRoutes(t *testing.T) {
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -663,6 +685,7 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
},
TLS: &config.TLSConfiguration{},
},
},
{
@ -711,12 +734,14 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
},
TLS: &config.TLSConfiguration{},
},
},
{
desc: "Simple Ingress Route with middleware crossprovider",
paths: []string{"services.yml", "with_middleware_crossprovider.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -814,12 +839,14 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
},
TLS: &config.TLSConfiguration{},
},
},
{
desc: "One ingress Route with two different services, their servers will merge",
paths: []string{"services.yml", "with_two_services.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -863,6 +890,7 @@ func TestLoadIngressRoutes(t *testing.T) {
paths: []string{"services.yml", "simple.yml"},
ingressClass: "tchouk",
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -878,6 +906,7 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "Route with empty rule value is ignored",
paths: []string{"services.yml", "with_no_rule_value.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -893,6 +922,7 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "Route with kind not of a rule type (empty kind) is ignored",
paths: []string{"services.yml", "with_wrong_rule_kind.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -908,6 +938,7 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "check rule quoting validity",
paths: []string{"services.yml", "with_bad_host_rule.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -923,11 +954,13 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS",
paths: []string{"services.yml", "with_tls.yml"},
expected: &config.Configuration{
TLS: []*tls.Configuration{
{
Certificate: &tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
TLS: &config.TLSConfiguration{
Certificates: []*tls.CertAndStores{
{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
},
},
},
},
@ -968,21 +1001,23 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS with tls options",
paths: []string{"services.yml", "with_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
Optional: true,
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
@ -1024,21 +1059,23 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS with tls options and specific namespace",
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"myns/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"myns/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
Optional: true,
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
@ -1080,20 +1117,22 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS with bad tls options",
paths: []string{"services.yml", "with_bad_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
Optional: true,
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
@ -1135,9 +1174,11 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS with unknown tls options",
paths: []string{"services.yml", "with_unknown_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
},
TCP: &config.TCPConfiguration{
@ -1179,9 +1220,11 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS with unknown tls options namespace",
paths: []string{"services.yml", "with_unknown_tls_options_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
TLS: &config.TLSConfiguration{
Options: map[string]tls.Options{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
},
TCP: &config.TCPConfiguration{
@ -1223,6 +1266,7 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "TLS with ACME",
paths: []string{"services.yml", "with_tls_acme.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
@ -1260,6 +1304,7 @@ func TestLoadIngressRoutes(t *testing.T) {
desc: "Simple Ingress Route, defaulting to https for servers",
paths: []string{"services.yml", "with_https_default.yml"},
expected: &config.Configuration{
TLS: &config.TLSConfiguration{},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},

20
pkg/provider/kubernetes/ingress/kubernetes.go
View file

@ -257,7 +257,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
ingresses := client.GetIngresses()
tlsConfigs := make(map[string]*tls.Configuration)
tlsConfigs := make(map[string]*tls.CertAndStores)
for _, ingress := range ingresses {
ctx = log.With(ctx, log.Str("ingress", ingress.Name), log.Str("namespace", ingress.Namespace))
@ -341,7 +341,13 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
}
}
conf.TLS = getTLSConfig(tlsConfigs)
certs := getTLSConfig(tlsConfigs)
if len(certs) > 0 {
conf.TLS = &config.TLSConfiguration{
Certificates: certs,
}
}
return conf
}
@ -350,7 +356,7 @@ func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bo
(len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass)
}
func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tlsConfigs map[string]*tls.Configuration) error {
func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
for _, t := range ingress.Spec.TLS {
if t.SecretName == "" {
log.FromContext(ctx).Debugf("Skipping TLS sub-section: No secret name provided")
@ -372,8 +378,8 @@ func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tls
return err
}
tlsConfigs[configKey] = &tls.Configuration{
Certificate: &tls.Certificate{
tlsConfigs[configKey] = &tls.CertAndStores{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key),
},
@ -384,14 +390,14 @@ func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tls
return nil
}
func getTLSConfig(tlsConfigs map[string]*tls.Configuration) []*tls.Configuration {
func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
var secretNames []string
for secretName := range tlsConfigs {
secretNames = append(secretNames, secretName)
}
sort.Strings(secretNames)
var configs []*tls.Configuration
var configs []*tls.CertAndStores
for _, secretName := range secretNames {
configs = append(configs, tlsConfigs[secretName])
}

24
pkg/provider/kubernetes/ingress/kubernetes_test.go
View file

@ -702,11 +702,13 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
},
},
},
TLS: []*tls.Configuration{
{
Certificate: &tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
TLS: &config.TLSConfiguration{
Certificates: []*tls.CertAndStores{
{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
},
},
},
},
@ -973,7 +975,7 @@ func TestGetTLS(t *testing.T) {
desc string
ingress *v1beta1.Ingress
client Client
result map[string]*tls.Configuration
result map[string]*tls.CertAndStores
errResult string
}{
{
@ -1080,15 +1082,15 @@ func TestGetTLS(t *testing.T) {
},
},
},
result: map[string]*tls.Configuration{
result: map[string]*tls.CertAndStores{
"testing/test-secret": {
Certificate: &tls.Certificate{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent("tls-crt"),
KeyFile: tls.FileOrContent("tls-key"),
},
},
"testing/test-secret2": {
Certificate: &tls.Certificate{
Certificate: tls.Certificate{
CertFile: tls.FileOrContent("tls-crt"),
KeyFile: tls.FileOrContent("tls-key"),
},
@ -1099,7 +1101,7 @@ func TestGetTLS(t *testing.T) {
desc: "return nil when no secret is defined",
ingress: testIngressWithoutSecret,
client: clientMock{},
result: map[string]*tls.Configuration{},
result: map[string]*tls.CertAndStores{},
},
}
@ -1108,7 +1110,7 @@ func TestGetTLS(t *testing.T) {
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
tlsConfigs := map[string]*tls.Configuration{}
tlsConfigs := map[string]*tls.CertAndStores{}
err := getTLS(context.Background(), test.ingress, test.client, tlsConfigs)
if test.errResult != "" {