Allow root CA to be added through config maps

2025-03-11 15:38:05 +01:00 · 2025-03-11 15:38:05 +01:00 · ae4a00b4bc
commit ae4a00b4bc
parent 30fe11eccf
16 changed files with 516 additions and 48 deletions
--- a/pkg/provider/kubernetes/crd/fixtures/tcp/with_servers_transport.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_servers_transport.yml
@ -48,6 +48,26 @@ data:
  ca.crt: VEVTVFJPT1RDQVM0
  tls.ca: VEVTVFJPT1RDQVM1 # <-- This should be the preferred one.

+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: root-ca5
+  namespace: foo
+
+data:
+  ca.crt: VEVTVFJPT1RDQVM2
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: root-ca6
+  namespace: foo
+
+data:
+  ca.crt: VEVTVFJPT1RDQVM3
+
 ---
 apiVersion: v1
 kind: Secret
@ -82,6 +102,26 @@ data:
  tls.crt: VEVTVENFUlQz
  tls.key: VEVTVEtFWTM=

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: root-ca-as-config-map
+  namespace: foo
+
+data:
+  ca.crt: "TESTROOTCASFROMCONFIGMAP"
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: root-ca-as-config-map-2
+  namespace: foo
+
+data:
+  ca.crt: "TESTROOTCASFROMCONFIGMAP2"
+
 ---
 apiVersion: traefik.io/v1alpha1
 kind: ServersTransportTCP
@ -101,6 +141,12 @@ spec:
      - root-ca3
      - root-ca4
      - allcerts
+    rootCAs:
+      - configMap: root-ca-as-config-map
+      - secret: root-ca5
+        # referencing both a ConfigMap and a Secret should fail.
+      - configMap: root-ca-as-config-map-2
+        secret: root-ca6
    certificatesSecrets:
      - mtls1
      - mtls2