Add TLSStores to Kubernetes CRD

pkg/provider/kubernetes/crd/kubernetes.go

@@ -171,6 +171,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
 		TLS: &dynamic.TLSConfiguration{
 			Certificates: getTLSConfig(tlsConfigs),
 			Options:      buildTLSOptions(ctx, client),
+			Stores:       buildTLSStores(ctx, client),
 		},
 	}
 
@@ -466,6 +467,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 		return tlsOptions
 	}
 	tlsOptions = make(map[string]tls.Options)
+	var nsDefault []string
 
 	for _, tlsOption := range tlsOptionsCRD {
 		logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
@@ -492,7 +494,13 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 			clientCAs = append(clientCAs, tls.FileOrContent(cert))
 		}
 
-		tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
+		id := makeID(tlsOption.Namespace, tlsOption.Name)
+		// If the name is default, we override the default config.
+		if tlsOption.Name == "default" {
+			id = tlsOption.Name
+			nsDefault = append(nsDefault, tlsOption.Namespace)
+		}
+		tlsOptions[id] = tls.Options{
 			MinVersion:       tlsOption.Spec.MinVersion,
 			MaxVersion:       tlsOption.Spec.MaxVersion,
 			CipherSuites:     tlsOption.Spec.CipherSuites,
@@ -505,9 +513,68 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 			PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
 		}
 	}
+
+	if len(nsDefault) > 1 {
+		delete(tlsOptions, "default")
+		log.FromContext(ctx).Errorf("Default TLS Options defined in multiple namespaces: %v", nsDefault)
+	}
+
 	return tlsOptions
 }
 
+func buildTLSStores(ctx context.Context, client Client) map[string]tls.Store {
+	tlsStoreCRD := client.GetTLSStores()
+	var tlsStores map[string]tls.Store
+
+	if len(tlsStoreCRD) == 0 {
+		return tlsStores
+	}
+	tlsStores = make(map[string]tls.Store)
+	var nsDefault []string
+
+	for _, tlsStore := range tlsStoreCRD {
+		namespace := tlsStore.Namespace
+		secretName := tlsStore.Spec.DefaultCertificate.SecretName
+		logger := log.FromContext(log.With(ctx, log.Str("tlsStore", tlsStore.Name), log.Str("namespace", namespace), log.Str("secretName", secretName)))
+
+		secret, exists, err := client.GetSecret(namespace, secretName)
+		if err != nil {
+			logger.Errorf("Failed to fetch secret %s/%s: %v", namespace, secretName, err)
+			continue
+		}
+		if !exists {
+			logger.Errorf("Secret %s/%s does not exist", namespace, secretName)
+			continue
+		}
+
+		cert, key, err := getCertificateBlocks(secret, namespace, secretName)
+		if err != nil {
+			logger.Errorf("Could not get certificate blocks: %v", err)
+			continue
+		}
+
+		id := makeID(tlsStore.Namespace, tlsStore.Name)
+		// If the name is default, we override the default config.
+		if tlsStore.Name == "default" {
+			id = tlsStore.Name
+			nsDefault = append(nsDefault, tlsStore.Namespace)
+		}
+		tlsStores[id] = tls.Store{
+			DefaultCertificate: &tls.Certificate{
+				CertFile: tls.FileOrContent(cert),
+				KeyFile:  tls.FileOrContent(key),
+			},
+		}
+	}
+
+	if len(nsDefault) > 1 {
+		delete(tlsStores, "default")
+		log.FromContext(ctx).Errorf("Default TLS Stores defined in multiple namespaces: %v", nsDefault)
+	}
+
+	return tlsStores
+}
+
 func checkStringQuoteValidity(value string) error {
 	_, err := strconv.Unquote(`"` + value + `"`)
 	return err