homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Define TLS options on the Router configuration for Kubernetes

Browse source 
Co-authored-by: juliens <julien@containo.us>
This commit is contained in:
Jean-Baptiste Doumenjou 2019-06-21 17:18:05 +02:00 committed by Traefiker Bot
parent 69cf05df9a
commit 80b35575df
48 changed files with 2374 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

516
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

@ -297,6 +297,261 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
},
},
},
{
desc: "TLS with tls options",
paths: []string{"tcp/services.yml", "tcp/with_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{
"default/test-crd-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default/test-crd-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &config.RouterTCPTLSConfig{
Options: "default/foo",
},
},
},
Services: map[string]*config.TCPService{
"default/test-crd-fdd3e9338e47a45efefc": {
LoadBalancer: &config.TCPLoadBalancerService{
Servers: []config.TCPServer{
{
Address: "10.10.0.1:8000",
Port: "",
},
{
Address: "10.10.0.2:8000",
Port: "",
},
},
},
},
},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
},
},
{
desc: "TLS with tls options and specific namespace",
paths: []string{"tcp/services.yml", "tcp/with_tls_options_and_specific_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"myns/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{
"default/test-crd-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default/test-crd-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &config.RouterTCPTLSConfig{
Options: "myns/foo",
},
},
},
Services: map[string]*config.TCPService{
"default/test-crd-fdd3e9338e47a45efefc": {
LoadBalancer: &config.TCPLoadBalancerService{
Servers: []config.TCPServer{
{
Address: "10.10.0.1:8000",
Port: "",
},
{
Address: "10.10.0.2:8000",
Port: "",
},
},
},
},
},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
},
},
{
desc: "TLS with bad tls options",
paths: []string{"tcp/services.yml", "tcp/with_bad_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{
"default/test-crd-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default/test-crd-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &config.RouterTCPTLSConfig{
Options: "default/foo",
},
},
},
Services: map[string]*config.TCPService{
"default/test-crd-fdd3e9338e47a45efefc": {
LoadBalancer: &config.TCPLoadBalancerService{
Servers: []config.TCPServer{
{
Address: "10.10.0.1:8000",
Port: "",
},
{
Address: "10.10.0.2:8000",
Port: "",
},
},
},
},
},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
},
},
{
desc: "TLS with unknown tls options",
paths: []string{"tcp/services.yml", "tcp/with_unknown_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{
"default/test-crd-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default/test-crd-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &config.RouterTCPTLSConfig{
Options: "default/unknown",
},
},
},
Services: map[string]*config.TCPService{
"default/test-crd-fdd3e9338e47a45efefc": {
LoadBalancer: &config.TCPLoadBalancerService{
Servers: []config.TCPServer{
{
Address: "10.10.0.1:8000",
Port: "",
},
{
Address: "10.10.0.2:8000",
Port: "",
},
},
},
},
},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
},
},
{
desc: "TLS with unknown tls options namespace",
paths: []string{"tcp/services.yml", "tcp/with_unknown_tls_options_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{
"default/test-crd-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default/test-crd-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &config.RouterTCPTLSConfig{
Options: "unknown/foo",
},
},
},
Services: map[string]*config.TCPService{
"default/test-crd-fdd3e9338e47a45efefc": {
LoadBalancer: &config.TCPLoadBalancerService{
Servers: []config.TCPServer{
{
Address: "10.10.0.1:8000",
Port: "",
},
{
Address: "10.10.0.2:8000",
Port: "",
},
},
},
},
},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{},
},
},
},
{
desc: "TLS with ACME",
paths: []string{"tcp/services.yml", "tcp/with_tls_acme.yml"},
@ -338,6 +593,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
@ -346,7 +602,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
}
p := Provider{IngressClass: test.ingressClass}
conf := p.loadConfigurationFromIngresses(context.Background(), newClientMock(test.paths...))
conf := p.loadConfigurationFromCRD(context.Background(), newClientMock(test.paths...))
assert.Equal(t, test.expected, conf)
})
}
@ -660,6 +916,261 @@ func TestLoadIngressRoutes(t *testing.T) {
},
},
},
{
desc: "TLS with tls options",
paths: []string{"services.yml", "with_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{
"default/test-crd-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default/test-crd-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &config.RouterTLSConfig{
Options: "default/foo",
},
},
},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{
"default/test-crd-6b204d94623b3df4370c": {
LoadBalancer: &config.LoadBalancerService{
Servers: []config.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: true,
},
},
},
},
},
},
{
desc: "TLS with tls options and specific namespace",
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"myns/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{
"default/test-crd-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default/test-crd-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &config.RouterTLSConfig{
Options: "myns/foo",
},
},
},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{
"default/test-crd-6b204d94623b3df4370c": {
LoadBalancer: &config.LoadBalancerService{
Servers: []config.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: true,
},
},
},
},
},
},
{
desc: "TLS with bad tls options",
paths: []string{"services.yml", "with_bad_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientCA: tls.ClientCA{
Files: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
Optional: true,
},
SniStrict: true,
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{
"default/test-crd-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default/test-crd-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &config.RouterTLSConfig{
Options: "default/foo",
},
},
},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{
"default/test-crd-6b204d94623b3df4370c": {
LoadBalancer: &config.LoadBalancerService{
Servers: []config.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: true,
},
},
},
},
},
},
{
desc: "TLS with unknown tls options",
paths: []string{"services.yml", "with_unknown_tls_options.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{
"default/test-crd-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default/test-crd-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &config.RouterTLSConfig{
Options: "default/unknown",
},
},
},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{
"default/test-crd-6b204d94623b3df4370c": {
LoadBalancer: &config.LoadBalancerService{
Servers: []config.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: true,
},
},
},
},
},
},
{
desc: "TLS with unknown tls options namespace",
paths: []string{"services.yml", "with_unknown_tls_options_namespace.yml"},
expected: &config.Configuration{
TLSOptions: map[string]tls.TLS{
"default/foo": {
MinVersion: "VersionTLS12",
},
},
TCP: &config.TCPConfiguration{
Routers: map[string]*config.TCPRouter{},
Services: map[string]*config.TCPService{},
},
HTTP: &config.HTTPConfiguration{
Routers: map[string]*config.Router{
"default/test-crd-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default/test-crd-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &config.RouterTLSConfig{
Options: "unknown/foo",
},
},
},
Middlewares: map[string]*config.Middleware{},
Services: map[string]*config.Service{
"default/test-crd-6b204d94623b3df4370c": {
LoadBalancer: &config.LoadBalancerService{
Servers: []config.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: true,
},
},
},
},
},
},
{
desc: "TLS with ACME",
paths: []string{"services.yml", "with_tls_acme.yml"},
@ -740,6 +1251,7 @@ func TestLoadIngressRoutes(t *testing.T) {
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
@ -748,7 +1260,7 @@ func TestLoadIngressRoutes(t *testing.T) {
}
p := Provider{IngressClass: test.ingressClass}
conf := p.loadConfigurationFromIngresses(context.Background(), newClientMock(test.paths...))
conf := p.loadConfigurationFromCRD(context.Background(), newClientMock(test.paths...))
assert.Equal(t, test.expected, conf)
})
}