From 48aafe4aae6cb49e73cf2298d3bd5639c14382bc Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 19 Dec 2023 14:07:33 +0100 Subject: [PATCH] Host cluster-local-domain TLS on local listener with SNI --- config/203-local-gateway.yaml | 3 + pkg/reconciler/ingress/ingress.go | 76 ++-- pkg/reconciler/ingress/ingress_test.go | 366 +++++++++++++++--- pkg/reconciler/ingress/resources/gateway.go | 29 +- .../ingress/resources/gateway_test.go | 73 +++- pkg/reconciler/ingress/resources/secret.go | 10 +- .../ingress/resources/secret_test.go | 2 +- 7 files changed, 450 insertions(+), 109 deletions(-) diff --git a/config/203-local-gateway.yaml b/config/203-local-gateway.yaml index cd250cb4a4..1159beaa4a 100644 --- a/config/203-local-gateway.yaml +++ b/config/203-local-gateway.yaml @@ -55,3 +55,6 @@ spec: - name: http2 port: 80 targetPort: 8081 + - name: https + port: 443 + targetPort: 8443 diff --git a/pkg/reconciler/ingress/ingress.go b/pkg/reconciler/ingress/ingress.go index 4e79f88550..2289f8278b 100644 --- a/pkg/reconciler/ingress/ingress.go +++ b/pkg/reconciler/ingress/ingress.go @@ -57,10 +57,9 @@ import ( ) const ( - virtualServiceConditionReconciled = "Reconciled" - virtualServiceNotReconciled = "ReconcileVirtualServiceFailed" - notReconciledReason = "ReconcileIngressFailed" - notReconciledMessage = "Ingress reconciliation failed" + virtualServiceNotReconciled = "ReconcileVirtualServiceFailed" + notReconciledReason = "ReconcileIngressFailed" + notReconciledMessage = "Ingress reconciliation failed" ) // Reconciler implements the control loop for the Ingress resources. @@ -106,8 +105,8 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress logger := logging.FromContext(ctx) // We may be reading a version of the object that was stored at an older version - // and may not have had all of the assumed defaults specified. This won't result - // in this getting written back to the API Server, but lets downstream logic make + // and may not have had all the assumed defaults specified. This won't result + // in this getting written back to the API Server, but let's downstream logic make // assumptions about defaulting. ing.SetDefaults(ctx) @@ -118,9 +117,9 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress gatewayNames[v1alpha1.IngressVisibilityClusterLocal] = qualifiedGatewayNamesFromContext(ctx)[v1alpha1.IngressVisibilityClusterLocal] gatewayNames[v1alpha1.IngressVisibilityExternalIP] = sets.New[string]() - ingressGateways := []*v1beta1.Gateway{} - if shouldReconcileTLS(ing) { - originSecrets, err := resources.GetSecrets(ing, r.secretLister) + externalIngressGateways := []*v1beta1.Gateway{} + if shouldReconcileExternalDomainTLS(ing) { + originSecrets, err := resources.GetSecrets(ing, v1alpha1.IngressVisibilityExternalIP, r.secretLister) if err != nil { return err } @@ -144,7 +143,8 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress } nonWildcardIngressTLS := resources.GetNonWildcardIngressTLS(ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP), nonWildcardSecrets) - ingressGateways, err = resources.MakeIngressTLSGateways(ctx, ing, nonWildcardIngressTLS, nonWildcardSecrets, r.svcLister) + externalIngressGateways, err = resources.MakeIngressTLSGateways(ctx, ing, v1alpha1.IngressVisibilityExternalIP, + nonWildcardIngressTLS, nonWildcardSecrets, r.svcLister) if err != nil { return err } @@ -164,17 +164,38 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress gatewayNames[v1alpha1.IngressVisibilityExternalIP].Insert(resources.GetQualifiedGatewayNames(desiredWildcardGateways)...) } + cfg := config.FromContext(ctx) + clusterLocalIngressGateways := []*v1beta1.Gateway{} + if cfg.Network.ClusterLocalDomainTLS == netconfig.EncryptionEnabled && shouldReconcileClusterLocalDomainTLS(ing) { + originSecrets, err := resources.GetSecrets(ing, v1alpha1.IngressVisibilityClusterLocal, r.secretLister) + if err != nil { + return err + } + targetSecrets, err := resources.MakeSecrets(ctx, originSecrets, ing) + if err != nil { + return err + } + if err = r.reconcileCertSecrets(ctx, ing, targetSecrets); err != nil { + return err + } + clusterLocalIngressGateways, err = resources.MakeIngressTLSGateways(ctx, ing, v1alpha1.IngressVisibilityClusterLocal, + ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityClusterLocal), originSecrets, r.svcLister) + if err != nil { + return err + } + } + if shouldReconcileHTTPServer(ing) { httpServer := resources.MakeHTTPServer(ing.Spec.HTTPOption, getPublicHosts(ing)) - if len(ingressGateways) == 0 { + if len(externalIngressGateways) == 0 { var err error - if ingressGateways, err = resources.MakeIngressGateways(ctx, ing, []*istiov1beta1.Server{httpServer}, r.svcLister); err != nil { + if externalIngressGateways, err = resources.MakeExternalIngressGateways(ctx, ing, []*istiov1beta1.Server{httpServer}, r.svcLister); err != nil { return err } } else { // add HTTP Server into ingressGateways. - for i := range ingressGateways { - ingressGateways[i].Spec.Servers = append(ingressGateways[i].Spec.Servers, httpServer) + for i := range externalIngressGateways { + externalIngressGateways[i].Spec.Servers = append(externalIngressGateways[i].Spec.Servers, httpServer) } } } else { @@ -184,10 +205,15 @@ func (r *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress gatewayNames[v1alpha1.IngressVisibilityExternalIP].Insert(sets.List(defaultGlobalHTTPGateways)...) } - if err := r.reconcileIngressGateways(ctx, ingressGateways); err != nil { + if err := r.reconcileIngressGateways(ctx, externalIngressGateways); err != nil { return err } - gatewayNames[v1alpha1.IngressVisibilityExternalIP].Insert(resources.GetQualifiedGatewayNames(ingressGateways)...) + gatewayNames[v1alpha1.IngressVisibilityExternalIP].Insert(resources.GetQualifiedGatewayNames(externalIngressGateways)...) + + if err := r.reconcileIngressGateways(ctx, clusterLocalIngressGateways); err != nil { + return err + } + gatewayNames[v1alpha1.IngressVisibilityClusterLocal].Insert(resources.GetQualifiedGatewayNames(clusterLocalIngressGateways)...) if config.FromContext(ctx).Network.SystemInternalTLSEnabled() { logger.Info("reconciling DestinationRules for system-internal-tls") @@ -410,16 +436,16 @@ func (r *Reconciler) FinalizeKind(ctx context.Context, ing *v1alpha1.Ingress) pk } } - return r.reconcileDeletion(ctx, ing) + return r.cleanupCertificateSecrets(ctx, ing) } -func (r *Reconciler) reconcileDeletion(ctx context.Context, ing *v1alpha1.Ingress) error { - if !shouldReconcileTLS(ing) { +func (r *Reconciler) cleanupCertificateSecrets(ctx context.Context, ing *v1alpha1.Ingress) error { + if !shouldReconcileExternalDomainTLS(ing) && !shouldReconcileClusterLocalDomainTLS(ing) { return nil } errs := []error{} - for _, tls := range ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP) { + for _, tls := range ing.Spec.TLS { nameNamespaces, err := resources.GetIngressGatewaySvcNameNamespaces(ctx) if err != nil { errs = append(errs, err) @@ -541,13 +567,17 @@ func getLBStatus(gatewayServiceURL string) []v1alpha1.LoadBalancerIngressStatus } } -func shouldReconcileTLS(ing *v1alpha1.Ingress) bool { +func shouldReconcileExternalDomainTLS(ing *v1alpha1.Ingress) bool { return isIngressPublic(ing) && len(ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP)) > 0 } +func shouldReconcileClusterLocalDomainTLS(ing *v1alpha1.Ingress) bool { + return len(ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityClusterLocal)) > 0 +} + func shouldReconcileHTTPServer(ing *v1alpha1.Ingress) bool { - // We will create a Ingress specific HTTPServer when - // 1. auto TLS is enabled as in this case users want us to fully handle the TLS/HTTP behavior, + // We will create an Ingress specific HTTPServer when + // 1. external-domain-tls is enabled as in this case users want us to fully handle the TLS/HTTP behavior, // 2. HTTPOption is set to Redirected as we don't have default HTTP server supporting HTTP redirection. return isIngressPublic(ing) && (ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected || len(ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP)) > 0) } diff --git a/pkg/reconciler/ingress/ingress_test.go b/pkg/reconciler/ingress/ingress_test.go index 32e262767b..81d70a25d1 100644 --- a/pkg/reconciler/ingress/ingress_test.go +++ b/pkg/reconciler/ingress/ingress_test.go @@ -182,13 +182,17 @@ var ( "gateway." + config.KnativeIngressGateway: newDomainInternal, "gateway.knative-test-gateway": originDomainInternal, } - ingressGateway = map[v1alpha1.IngressVisibility]sets.Set[string]{ + externalIngressGateway = map[v1alpha1.IngressVisibility]sets.Set[string]{ v1alpha1.IngressVisibilityExternalIP: sets.New(config.KnativeIngressGateway), } + localIngressGateway = map[v1alpha1.IngressVisibility]sets.Set[string]{ + v1alpha1.IngressVisibilityClusterLocal: sets.New(config.KnativeLocalGateway), + } gateways = map[v1alpha1.IngressVisibility]sets.Set[string]{ v1alpha1.IngressVisibilityExternalIP: sets.New[string]("knative-test-gateway", config.KnativeIngressGateway), } - perIngressGatewayName = resources.GatewayName(ingressWithTLS("reconciling-ingress", ingressTLS), ingressService) + externalIngressTLSGatewayName = resources.GatewayName(ingressWithTLS("reconciling-ingress", externalIngressTLS), v1alpha1.IngressVisibilityExternalIP, ingressService) + localIngressTLSGatewayName = resources.GatewayName(ingressWithTLS("reconciling-ingress", localIngressTLS), v1alpha1.IngressVisibilityClusterLocal, ingressService) ) var ( @@ -228,14 +232,20 @@ var ( Visibility: v1alpha1.IngressVisibilityClusterLocal, }} - ingressTLS = []v1alpha1.IngressTLS{{ + externalIngressTLS = []v1alpha1.IngressTLS{{ Hosts: []string{"host-tls.example.com"}, SecretName: "secret0", SecretNamespace: "istio-system", }} - // The gateway server according to ingressTLS. - ingressTLSServer = &istiov1beta1.Server{ + localIngressTLS = []v1alpha1.IngressTLS{{ + Hosts: []string{"host-tls.test-ns.svc.cluster.local"}, + SecretName: "secret0", + SecretNamespace: "istio-system", + }} + + // The gateway server according to externalIngressTLS. + externalIngressTLSServer = &istiov1beta1.Server{ Hosts: []string{"host-tls.example.com"}, Port: &istiov1beta1.Port{ Name: "test-ns/reconciling-ingress:0", @@ -251,6 +261,22 @@ var ( }, } + localIngressTLSServer = &istiov1beta1.Server{ + Hosts: []string{"host-tls.test-ns.svc.cluster.local"}, + Port: &istiov1beta1.Port{ + Name: "test-ns/reconciling-ingress:0", + Number: 443, + Protocol: "HTTPS", + }, + Tls: &istiov1beta1.ServerTLSSettings{ + Mode: istiov1beta1.ServerTLSSettings_SIMPLE, + ServerCertificate: "tls.crt", + PrivateKey: "tls.key", + CredentialName: "secret0", + MinProtocolVersion: istiov1beta1.ServerTLSSettings_TLSV1_2, + }, + } + ingressHTTPServer = &istiov1beta1.Server{ Hosts: []string{"host-tls.example.com"}, Port: &istiov1beta1.Port{ @@ -272,7 +298,7 @@ var ( }, } - // The gateway server irrelevant to ingressTLS. + // The gateway server irrelevant to externalIngressTLS. irrelevantServer = &istiov1beta1.Server{ Hosts: []string{"host-tls.example.com", "host-tls.test-ns.svc.cluster.local"}, Port: &istiov1beta1.Port{ @@ -712,24 +738,24 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { Name: "create Ingress Gateway to match newly created Ingress", SkipNamespaceValidation: true, Objects: []runtime.Object{ - ingressWithTLS("reconciling-ingress", ingressTLS), + ingressWithTLS("reconciling-ingress", externalIngressTLS), originSecret("istio-system", "secret0"), ingressService, }, WantCreates: []runtime.Object{ // The newly created per-Ingress Gateway. - gateway(perIngressGatewayName, testNS, []*istiov1beta1.Server{ingressTLSServer, ingressHTTPServer}, - withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, []*istiov1beta1.Server{externalIngressTLSServer, ingressHTTPServer}, + withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), - resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLS)), ingressGateway), - resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLS)), makeGatewayMap([]string{"test-ns/" + perIngressGatewayName}, nil)), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", externalIngressTLS)), externalIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", externalIngressTLS)), makeGatewayMap([]string{"test-ns/" + externalIngressTLSGatewayName}, nil)), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("reconciling-ingress", ingressFinalizer), }, WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ Object: ingressWithTLSAndStatus("reconciling-ingress", - ingressTLS, + externalIngressTLS, v1alpha1.IngressStatus{ PublicLoadBalancer: &v1alpha1.LoadBalancerStatus{ Ingress: []v1alpha1.LoadBalancerIngressStatus{ @@ -770,25 +796,25 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { Name: "Update Ingress Gateway to match Ingress", SkipNamespaceValidation: true, Objects: []runtime.Object{ - ingressWithTLS("reconciling-ingress", ingressTLS), + ingressWithTLS("reconciling-ingress", externalIngressTLS), // The existing Ingress gateway does not have HTTPS server. - gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), originSecret("istio-system", "secret0"), ingressService, }, WantCreates: []runtime.Object{ - gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), - resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLS)), ingressGateway), - resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLS)), makeGatewayMap([]string{"test-ns/" + perIngressGatewayName}, nil)), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", externalIngressTLS)), externalIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", externalIngressTLS)), makeGatewayMap([]string{"test-ns/" + externalIngressTLSGatewayName}, nil)), }, WantUpdates: []clientgotesting.UpdateActionImpl{{ - Object: gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{ingressTLSServer, ingressHTTPServer}, withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + Object: gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{externalIngressTLSServer, ingressHTTPServer}, withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), }}, WantPatches: []clientgotesting.PatchActionImpl{ @@ -796,7 +822,7 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { }, WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ Object: ingressWithTLSAndStatus("reconciling-ingress", - ingressTLS, + externalIngressTLS, v1alpha1.IngressStatus{ PublicLoadBalancer: &v1alpha1.LoadBalancerStatus{ Ingress: []v1alpha1.LoadBalancerIngressStatus{ @@ -837,7 +863,7 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { Name: "new Ingress using wildcard certificate", SkipNamespaceValidation: true, Objects: []runtime.Object{ - ingressWithTLS("reconciling-ingress", ingressTLS), + ingressWithTLS("reconciling-ingress", externalIngressTLS), wildcardCert, ingressService, }, @@ -845,20 +871,20 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { wildcardGateway(resources.WildcardGatewayName(wildcardCert.Name, ingressService.Namespace, ingressService.Name), "istio-system", []*istiov1beta1.Server{wildcardTLSServer}, selector), // The newly created per-Ingress Gateway. - gateway(perIngressGatewayName, testNS, []*istiov1beta1.Server{ingressHTTPServer}, - withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, []*istiov1beta1.Server{ingressHTTPServer}, + withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), - resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLS)), ingressGateway), - resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLS)), makeGatewayMap([]string{"istio-system/" + resources.WildcardGatewayName(wildcardCert.Name, ingressService.Namespace, ingressService.Name), - "test-ns/" + perIngressGatewayName}, nil)), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", externalIngressTLS)), externalIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", externalIngressTLS)), makeGatewayMap([]string{"istio-system/" + resources.WildcardGatewayName(wildcardCert.Name, ingressService.Namespace, ingressService.Name), + "test-ns/" + externalIngressTLSGatewayName}, nil)), }, WantPatches: []clientgotesting.PatchActionImpl{ patchAddFinalizerAction("reconciling-ingress", ingressFinalizer), }, WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ Object: ingressWithTLSAndStatus("reconciling-ingress", - ingressTLS, + externalIngressTLS, v1alpha1.IngressStatus{ PublicLoadBalancer: &v1alpha1.LoadBalancerStatus{ Ingress: []v1alpha1.LoadBalancerIngressStatus{ @@ -898,7 +924,7 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { }, { Name: "No preinstalled Ingress service", Objects: []runtime.Object{ - ingressWithTLS("reconciling-ingress", ingressTLS), + ingressWithTLS("reconciling-ingress", externalIngressTLS), originSecret("istio-system", "secret0"), }, WantPatches: []clientgotesting.PatchActionImpl{ @@ -906,7 +932,7 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { }, WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ Object: ingressWithTLSAndStatus("reconciling-ingress", - ingressTLS, + externalIngressTLS, v1alpha1.IngressStatus{ Status: duckv1.Status{ Conditions: duckv1.Conditions{{ @@ -939,13 +965,13 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { Name: "delete Ingress", SkipNamespaceValidation: true, Objects: []runtime.Object{ - ingressWithFinalizers("reconciling-ingress", ingressTLS, []string{ingressFinalizer}, &deletionTime), + ingressWithFinalizers("reconciling-ingress", externalIngressTLS, []string{ingressFinalizer}, &deletionTime), // ingressHTTPRedirectServer should not be deleted when deleting ingress related TLS server.. - gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, ingressTLSServer, ingressHTTPRedirectServer}), + gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, externalIngressTLSServer, ingressHTTPRedirectServer}), }, WantCreates: []runtime.Object{ // The creation of gateways are triggered when setting up the test. - gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, ingressTLSServer, ingressHTTPRedirectServer}), + gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, externalIngressTLSServer, ingressHTTPRedirectServer}), }, WantUpdates: []clientgotesting.UpdateActionImpl{{ Object: gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{ingressHTTPRedirectServer, irrelevantServer}), @@ -963,14 +989,14 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { Name: "delete ingress with leftover secrets", SkipNamespaceValidation: true, Objects: []runtime.Object{ - ingressWithFinalizers("reconciling-ingress", ingressTLS, []string{ingressFinalizer}, &deletionTime), + ingressWithFinalizers("reconciling-ingress", externalIngressTLS, []string{ingressFinalizer}, &deletionTime), // ingressHTTPRedirectServer should not be deleted when deleting ingress related TLS server.. - gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, ingressTLSServer, ingressHTTPRedirectServer}), + gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, externalIngressTLSServer, ingressHTTPRedirectServer}), targetSecret("istio-system", "targetSecret", resources.MakeTargetSecretLabels("secret0", "istio-system")), }, WantCreates: []runtime.Object{ // The creation of gateways are triggered when setting up the test. - gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, ingressTLSServer, ingressHTTPRedirectServer}), + gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, externalIngressTLSServer, ingressHTTPRedirectServer}), }, WantUpdates: []clientgotesting.UpdateActionImpl{{ Object: gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{ingressHTTPRedirectServer, irrelevantServer}), @@ -1004,13 +1030,13 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { }, WantCreates: []runtime.Object{ // The newly created per-Ingress Gateway. - gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{withCredentialName(deepCopy(ingressTLSServer), targetSecretName), ingressHTTPServer}, - withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{withCredentialName(deepCopy(externalIngressTLSServer), targetSecretName), ingressHTTPServer}, + withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), - resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), ingressGateway), - resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), makeGatewayMap([]string{"test-ns/" + perIngressGatewayName}, nil)), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), externalIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), makeGatewayMap([]string{"test-ns/" + externalIngressTLSGatewayName}, nil)), // The secret copy under istio-system. targetSecret("istio-system", targetSecretName, map[string]string{ @@ -1069,9 +1095,9 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving")), // The newly created per-Ingress Gateway. - gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{withCredentialName(deepCopy(ingressTLSServer), targetSecretName), ingressHTTPServer}, - withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{withCredentialName(deepCopy(externalIngressTLSServer), targetSecretName), ingressHTTPServer}, + withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), ingressService, @@ -1094,13 +1120,13 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { }, }, WantCreates: []runtime.Object{ - gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{withCredentialName(deepCopy(ingressTLSServer), targetSecretName), ingressHTTPServer}, - withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{withCredentialName(deepCopy(externalIngressTLSServer), targetSecretName), ingressHTTPServer}, + withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)), - resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), ingressGateway), - resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), makeGatewayMap([]string{"test-ns/" + perIngressGatewayName}, nil)), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), externalIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", ingressTLSWithSecretNamespace("knative-serving"))), makeGatewayMap([]string{"test-ns/" + externalIngressTLSGatewayName}, nil)), }, WantUpdates: []clientgotesting.UpdateActionImpl{{ Object: &corev1.Secret{ @@ -1161,18 +1187,18 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { Key: "test-ns/reconciling-ingress", CmpOpts: defaultCmpOptsList, }, { - Name: "Reconcile with autoTLS but cluster local visibilty, mesh only", + Name: "Reconcile with external-domain-tls but cluster local visibility, mesh only", SkipNamespaceValidation: true, Objects: []runtime.Object{ - ingressWithTLSClusterLocal("reconciling-ingress", ingressTLS), + ingressWithTLSClusterLocal("reconciling-ingress", externalIngressTLS), originSecret("istio-system", "secret0"), }, WantCreates: []runtime.Object{ - resources.MakeMeshVirtualService(insertProbe(ingressWithTLSClusterLocal("reconciling-ingress", ingressTLS)), ingressGateway), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLSClusterLocal("reconciling-ingress", externalIngressTLS)), externalIngressGateway), }, WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ Object: ingressWithTLSAndStatusClusterLocal("reconciling-ingress", - ingressTLS, + externalIngressTLS, v1alpha1.IngressStatus{ PublicLoadBalancer: &v1alpha1.LoadBalancerStatus{ Ingress: []v1alpha1.LoadBalancerIngressStatus{ @@ -1261,6 +1287,226 @@ func TestReconcile_ExternalDomainTLS(t *testing.T) { })) } +func TestReconcile_ClusterLocalDomainTLS(t *testing.T) { + table := TableTest{{ + Name: "create local TLS gateway for an ingress with cluster-local TLS", + SkipNamespaceValidation: true, + Objects: []runtime.Object{ + ingressWithTLS("reconciling-ingress", localIngressTLS), + originSecret("istio-system", "secret0"), + ingressService, + }, + WantCreates: []runtime.Object{ + gateway(localIngressTLSGatewayName, testNS, []*istiov1beta1.Server{localIngressTLSServer}, + withOwnerRef(ingressWithTLS("reconciling-ingress", localIngressTLS)), + withLabels(gwLabels), withSelector(selector)), + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", localIngressTLS)), localIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", localIngressTLS)), + makeGatewayMap([]string{"knative-testing/" + config.KnativeIngressGateway}, []string{"knative-testing/" + config.KnativeLocalGateway, "test-ns/" + localIngressTLSGatewayName})), + }, + WantPatches: []clientgotesting.PatchActionImpl{ + patchAddFinalizerAction("reconciling-ingress", ingressFinalizer), + }, + WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ + Object: ingressWithTLSAndStatus("reconciling-ingress", + localIngressTLS, + v1alpha1.IngressStatus{ + PublicLoadBalancer: &v1alpha1.LoadBalancerStatus{ + Ingress: []v1alpha1.LoadBalancerIngressStatus{ + {DomainInternal: pkgnet.GetServiceHostname("istio-ingressgateway", "istio-system")}, + }, + }, + PrivateLoadBalancer: &v1alpha1.LoadBalancerStatus{ + Ingress: []v1alpha1.LoadBalancerIngressStatus{ + { + DomainInternal: pkgnet.GetServiceHostname("istio-ingressgateway", "istio-system"), + MeshOnly: false, + }, + }, + }, + Status: duckv1.Status{ + Conditions: duckv1.Conditions{{ + Type: v1alpha1.IngressConditionLoadBalancerReady, + Status: corev1.ConditionTrue, + Severity: apis.ConditionSeverityError, + }, { + Type: v1alpha1.IngressConditionNetworkConfigured, + Status: corev1.ConditionTrue, + Severity: apis.ConditionSeverityError, + }, { + Type: v1alpha1.IngressConditionReady, + Status: corev1.ConditionTrue, + Severity: apis.ConditionSeverityError, + }}, + }, + }, + ), + }}, + WantEvents: []string{ + Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", "reconciling-ingress"), + Eventf(corev1.EventTypeNormal, "Created", "Created VirtualService %q", "reconciling-ingress-mesh"), + Eventf(corev1.EventTypeNormal, "Created", "Created VirtualService %q", "reconciling-ingress-ingress"), + }, + Key: "test-ns/reconciling-ingress", + CmpOpts: defaultCmpOptsList, + }, { + Name: "update local TLS gateway for an ingress with cluster-local TLS", + SkipNamespaceValidation: true, + Objects: []runtime.Object{ + ingressWithTLS("reconciling-ingress", localIngressTLS), + // The existing Ingress gateway does not have HTTPS server. + gateway(localIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", localIngressTLS)), + withLabels(gwLabels), withSelector(selector)), + originSecret("istio-system", "secret0"), + ingressService, + }, + WantCreates: []runtime.Object{ + gateway(localIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", localIngressTLS)), + withLabels(gwLabels), withSelector(selector)), + + resources.MakeMeshVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", localIngressTLS)), localIngressGateway), + resources.MakeIngressVirtualService(insertProbe(ingressWithTLS("reconciling-ingress", localIngressTLS)), + makeGatewayMap([]string{"knative-testing/" + config.KnativeIngressGateway}, []string{"knative-testing/" + config.KnativeLocalGateway, "test-ns/" + localIngressTLSGatewayName})), + }, + WantUpdates: []clientgotesting.UpdateActionImpl{{ + Object: gateway(localIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{localIngressTLSServer}, withOwnerRef(ingressWithTLS("reconciling-ingress", localIngressTLS)), + withLabels(gwLabels), withSelector(selector)), + }}, + WantPatches: []clientgotesting.PatchActionImpl{ + patchAddFinalizerAction("reconciling-ingress", ingressFinalizer), + }, + WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ + Object: ingressWithTLSAndStatus("reconciling-ingress", + localIngressTLS, + v1alpha1.IngressStatus{ + PublicLoadBalancer: &v1alpha1.LoadBalancerStatus{ + Ingress: []v1alpha1.LoadBalancerIngressStatus{ + {DomainInternal: pkgnet.GetServiceHostname("istio-ingressgateway", "istio-system")}, + }, + }, + PrivateLoadBalancer: &v1alpha1.LoadBalancerStatus{ + Ingress: []v1alpha1.LoadBalancerIngressStatus{ + { + DomainInternal: pkgnet.GetServiceHostname("istio-ingressgateway", "istio-system"), + MeshOnly: false, + }, + }, + }, + Status: duckv1.Status{ + Conditions: duckv1.Conditions{{ + Type: v1alpha1.IngressConditionLoadBalancerReady, + Status: corev1.ConditionTrue, + Severity: apis.ConditionSeverityError, + }, { + Type: v1alpha1.IngressConditionNetworkConfigured, + Status: corev1.ConditionTrue, + Severity: apis.ConditionSeverityError, + }, { + Type: v1alpha1.IngressConditionReady, + Status: corev1.ConditionTrue, + Severity: apis.ConditionSeverityError, + }}, + }, + }, + ), + }}, + WantEvents: []string{ + Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", "reconciling-ingress"), + Eventf(corev1.EventTypeNormal, "Created", "Created VirtualService %q", "reconciling-ingress-mesh"), + Eventf(corev1.EventTypeNormal, "Created", "Created VirtualService %q", "reconciling-ingress-ingress"), + }, + Key: "test-ns/reconciling-ingress", + CmpOpts: defaultCmpOptsList, + }, { + Name: "delete an ingress with cluster-local TLS with leftover secrets", + SkipNamespaceValidation: true, + Objects: []runtime.Object{ + ingressWithFinalizers("reconciling-ingress", localIngressTLS, []string{ingressFinalizer}, &deletionTime), + gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer}), + gateway(config.KnativeLocalGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, localIngressTLSServer}), + targetSecret("istio-system", "targetSecret", resources.MakeTargetSecretLabels("secret0", "istio-system")), + }, + WantCreates: []runtime.Object{ + // The creation of gateways are triggered when setting up the test. + gateway(config.KnativeIngressGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer}), + gateway(config.KnativeLocalGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer, localIngressTLSServer}), + }, + WantUpdates: []clientgotesting.UpdateActionImpl{{ + Object: gateway(config.KnativeLocalGateway, system.Namespace(), []*istiov1beta1.Server{irrelevantServer}), + }}, + WantPatches: []clientgotesting.PatchActionImpl{ + patchAddFinalizerAction("reconciling-ingress", ""), + }, + WantDeletes: []clientgotesting.DeleteActionImpl{{ + ActionImpl: clientgotesting.ActionImpl{ + Namespace: "istio-system", + Verb: "delete", + Resource: corev1.SchemeGroupVersion.WithResource("secrets"), + }, + Name: "targetSecret", + }}, + WantEvents: []string{ + Eventf(corev1.EventTypeNormal, "Updated", "Updated Gateway %s/%s", system.Namespace(), config.KnativeLocalGateway), + Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", "reconciling-ingress"), + }, + Key: "test-ns/reconciling-ingress", + CmpOpts: defaultCmpOptsList, + }} + table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler { + + // As we use a customized resource name for Gateway CRD (i.e. `gateways`), not the one + // originally generated by kubernetes code generator (i.e. `gatewaies`), we have to + // explicitly create gateways when setting up the test per suggestion + // https://github.com/knative/serving/blob/a6852fc3b6cdce72b99c5d578dd64f2e03dabb8b/vendor/k8s.io/client-go/testing/fixture.go#L292 + gateways := getGatewaysFromObjects(listers.GetIstioObjects()) + for _, gateway := range gateways { + fakeistioclient.Get(ctx).NetworkingV1beta1().Gateways(gateway.Namespace).Create(ctx, gateway, metav1.CreateOptions{}) + } + + r := &Reconciler{ + kubeclient: kubeclient.Get(ctx), + istioClientSet: istioclient.Get(ctx), + virtualServiceLister: listers.GetVirtualServiceLister(), + destinationRuleLister: listers.GetDestinationRuleLister(), + gatewayLister: listers.GetGatewayLister(), + secretLister: listers.GetSecretLister(), + svcLister: listers.GetK8sServiceLister(), + tracker: &NullTracker{}, + statusManager: &fakestatusmanager.FakeStatusManager{ + FakeIsReady: func(ctx context.Context, ing *v1alpha1.Ingress) (bool, error) { + return true, nil + }, + }, + } + + return ingressreconciler.NewReconciler(ctx, logging.FromContext(ctx), fakenetworkingclient.Get(ctx), + listers.GetIngressLister(), controller.GetEventRecorder(ctx), r, netconfig.IstioIngressClassName, controller.Options{ + ConfigStore: &testConfigStore{ + config: &config.Config{ + Istio: &config.Istio{ + IngressGateways: []config.Gateway{{ + Namespace: system.Namespace(), + Name: config.KnativeIngressGateway, + ServiceURL: pkgnet.GetServiceHostname("istio-ingressgateway", "istio-system"), + }}, + LocalGateways: []config.Gateway{{ + Namespace: system.Namespace(), + Name: config.KnativeLocalGateway, + ServiceURL: pkgnet.GetServiceHostname("istio-ingressgateway", "istio-system"), + }}, + }, + Network: &netconfig.Config{ + ClusterLocalDomainTLS: netconfig.EncryptionEnabled, + }, + }, + }, + }) + })) +} + func getGatewaysFromObjects(objects []runtime.Object) []*v1beta1.Gateway { gateways := []*v1beta1.Gateway{} for _, object := range objects { @@ -1351,7 +1597,7 @@ func deepCopy(server *istiov1beta1.Server) *istiov1beta1.Server { func ingressTLSWithSecretNamespace(namespace string) []v1alpha1.IngressTLS { result := []v1alpha1.IngressTLS{} - for _, tls := range ingressTLS { + for _, tls := range externalIngressTLS { tls.SecretNamespace = namespace result = append(result, tls) } @@ -1673,8 +1919,8 @@ func TestGlobalResyncOnUpdateNetwork(t *testing.T) { h.OnUpdate(&istioClient.Fake, "gateways", func(obj runtime.Object) HookResult { createdGateway := obj.(*v1beta1.Gateway) // The expected gateway should include the Istio TLS server. - expectedGateway := gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{ingressTLSServer, ingressHTTPServer}, withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + expectedGateway := gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{externalIngressTLSServer, ingressHTTPServer}, withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)) if diff := cmp.Diff(createdGateway, expectedGateway, protocmp.Transform()); diff != "" { t.Log("Unexpected Gateway (-want, +got):", diff) @@ -1703,7 +1949,7 @@ func TestGlobalResyncOnUpdateNetwork(t *testing.T) { grp.Go(func() error { return ctrl.RunContext(ctx, 1) }) ingress := ingressWithTLSAndStatus("reconciling-ingress", - ingressTLS, + externalIngressTLS, v1alpha1.IngressStatus{ PrivateLoadBalancer: &v1alpha1.LoadBalancerStatus{ Ingress: []v1alpha1.LoadBalancerIngressStatus{ @@ -1737,8 +1983,8 @@ func TestGlobalResyncOnUpdateNetwork(t *testing.T) { // Create an Ingress gateway ingressGatewayClient := istioClient.NetworkingV1beta1().Gateways(testNS) - ingressGateway := gateway(perIngressGatewayName, testNS, - []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", ingressTLS)), + ingressGateway := gateway(externalIngressTLSGatewayName, testNS, + []*istiov1beta1.Server{}, withOwnerRef(ingressWithTLS("reconciling-ingress", externalIngressTLS)), withLabels(gwLabels), withSelector(selector)) if _, err := ingressGatewayClient.Create(ctx, ingressGateway, metav1.CreateOptions{}); err != nil { t.Fatal("Error creating gateway:", err) diff --git a/pkg/reconciler/ingress/resources/gateway.go b/pkg/reconciler/ingress/resources/gateway.go index 4dd38ba6dd..de133bfbbb 100644 --- a/pkg/reconciler/ingress/resources/gateway.go +++ b/pkg/reconciler/ingress/resources/gateway.go @@ -45,6 +45,7 @@ const ( GatewayHTTPPort = 80 dns1123LabelMaxLength = 63 // Public for testing only. dns1123LabelFmt = "[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?" + localGatewayPostfix = "-local" ) var httpServerPortName = "http-server" @@ -105,7 +106,8 @@ func SortServers(servers []*istiov1beta1.Server) []*istiov1beta1.Server { } // MakeIngressTLSGateways creates Gateways that have only TLS servers for a given Ingress. -func MakeIngressTLSGateways(ctx context.Context, ing *v1alpha1.Ingress, ingressTLS []v1alpha1.IngressTLS, originSecrets map[string]*corev1.Secret, svcLister corev1listers.ServiceLister) ([]*v1beta1.Gateway, error) { +func MakeIngressTLSGateways(ctx context.Context, ing *v1alpha1.Ingress, visibility v1alpha1.IngressVisibility, + ingressTLS []v1alpha1.IngressTLS, originSecrets map[string]*corev1.Secret, svcLister corev1listers.ServiceLister) ([]*v1beta1.Gateway, error) { // No need to create Gateway if there is no related ingress TLS. if len(ingressTLS) == 0 { return []*v1beta1.Gateway{}, nil @@ -116,17 +118,17 @@ func MakeIngressTLSGateways(ctx context.Context, ing *v1alpha1.Ingress, ingressT } gateways := make([]*v1beta1.Gateway, len(gatewayServices)) for i, gatewayService := range gatewayServices { - servers, err := MakeTLSServers(ing, ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP), gatewayService.Namespace, originSecrets) + servers, err := MakeTLSServers(ing, ingressTLS, gatewayService.Namespace, originSecrets) if err != nil { return nil, err } - gateways[i] = makeIngressGateway(ing, gatewayService.Spec.Selector, servers, gatewayService) + gateways[i] = makeIngressGateway(ing, visibility, gatewayService.Spec.Selector, servers, gatewayService) } return gateways, nil } -// MakeIngressGateways creates Gateways with given Servers for a given Ingress. -func MakeIngressGateways(ctx context.Context, ing *v1alpha1.Ingress, servers []*istiov1beta1.Server, svcLister corev1listers.ServiceLister) ([]*v1beta1.Gateway, error) { +// MakeExternalIngressGateways creates Gateways with given Servers for a given Ingress. +func MakeExternalIngressGateways(ctx context.Context, ing *v1alpha1.Ingress, servers []*istiov1beta1.Server, svcLister corev1listers.ServiceLister) ([]*v1beta1.Gateway, error) { gatewayServices, err := getGatewayServices(ctx, svcLister) if err != nil { return nil, err @@ -136,7 +138,7 @@ func MakeIngressGateways(ctx context.Context, ing *v1alpha1.Ingress, servers []* if err != nil { return nil, err } - gateways[i] = makeIngressGateway(ing, gatewayService.Spec.Selector, servers, gatewayService) + gateways[i] = makeIngressGateway(ing, v1alpha1.IngressVisibilityExternalIP, gatewayService.Spec.Selector, servers, gatewayService) } return gateways, nil } @@ -244,14 +246,14 @@ func GatewayRef(gw *v1beta1.Gateway) tracker.Reference { } } -func makeIngressGateway(ing *v1alpha1.Ingress, selector map[string]string, servers []*istiov1beta1.Server, gatewayService *corev1.Service) *v1beta1.Gateway { +func makeIngressGateway(ing *v1alpha1.Ingress, visibility v1alpha1.IngressVisibility, selector map[string]string, servers []*istiov1beta1.Server, gatewayService *corev1.Service) *v1beta1.Gateway { return &v1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ - Name: GatewayName(ing, gatewayService), + Name: GatewayName(ing, visibility, gatewayService), Namespace: ing.GetNamespace(), OwnerReferences: []metav1.OwnerReference{*kmeta.NewControllerRef(ing)}, Labels: map[string]string{ - // We need this label to find out all of Gateways of a given Ingress. + // We need this label to find out all Gateways of a given Ingress. networking.IngressLabelKey: ing.GetName(), }, }, @@ -280,13 +282,16 @@ func getGatewayServices(ctx context.Context, svcLister corev1listers.ServiceList // GatewayName create a name for the Gateway that is built based on the given Ingress and bonds to the // given ingress gateway service. -func GatewayName(accessor kmeta.Accessor, gatewaySvc *corev1.Service) string { +func GatewayName(accessor kmeta.Accessor, visibility v1alpha1.IngressVisibility, gatewaySvc *corev1.Service) string { prefix := accessor.GetName() if !isDNS1123Label(prefix) { prefix = fmt.Sprint(adler32.Checksum([]byte(prefix))) } gatewayServiceKey := fmt.Sprintf("%s/%s", gatewaySvc.Namespace, gatewaySvc.Name) + if visibility == v1alpha1.IngressVisibilityClusterLocal { + gatewayServiceKey += localGatewayPostfix + } gatewayServiceKeyChecksum := fmt.Sprint(adler32.Checksum([]byte(gatewayServiceKey))) // Ensure that the overall gateway name still is a DNS1123 label @@ -368,10 +373,10 @@ func MakeHTTPServer(httpOption v1alpha1.HTTPOption, hosts []string) *istiov1beta } // GetNonWildcardIngressTLS gets Ingress TLS that do not reference wildcard certificates. -func GetNonWildcardIngressTLS(ingressTLS []v1alpha1.IngressTLS, nonWildcardSecrest map[string]*corev1.Secret) []v1alpha1.IngressTLS { +func GetNonWildcardIngressTLS(ingressTLS []v1alpha1.IngressTLS, nonWildcardSecrets map[string]*corev1.Secret) []v1alpha1.IngressTLS { result := []v1alpha1.IngressTLS{} for _, tls := range ingressTLS { - if _, ok := nonWildcardSecrest[secretKey(tls)]; ok { + if _, ok := nonWildcardSecrets[secretKey(tls)]; ok { result = append(result, tls) } } diff --git a/pkg/reconciler/ingress/resources/gateway_test.go b/pkg/reconciler/ingress/resources/gateway_test.go index 208e0a303e..f972a6f1ba 100644 --- a/pkg/reconciler/ingress/resources/gateway_test.go +++ b/pkg/reconciler/ingress/resources/gateway_test.go @@ -455,7 +455,7 @@ func TestUpdateGateway(t *testing.T) { }, { name: "Delete servers from Gateway and no real servers are left", - // All of the servers in the original gateway will be deleted. + // All the servers in the original gateway will be deleted. existingServers: []*istiov1beta1.Server{{ Hosts: []string{"host1.example.com"}, Port: &istiov1beta1.Port{ @@ -725,7 +725,7 @@ func TestGetQualifiedGatewayNames(t *testing.T) { } } -func TestMakeIngressGateways(t *testing.T) { +func TestMakeExternalIngressGateways(t *testing.T) { cases := []struct { name string ia *v1alpha1.Ingress @@ -785,9 +785,9 @@ func TestMakeIngressGateways(t *testing.T) { }, }) t.Run(c.name, func(t *testing.T) { - got, err := MakeIngressGateways(ctx, c.ia, c.servers, svcLister) + got, err := MakeExternalIngressGateways(ctx, c.ia, c.servers, svcLister) if (err != nil) != c.wantErr { - t.Fatalf("Test: %s; MakeIngressTLSGateways error = %v, WantErr %v", c.name, err, c.wantErr) + t.Fatalf("Test: %s; MakeExternalIngressGateways error = %v, WantErr %v", c.name, err, c.wantErr) } if diff := cmp.Diff(c.want, got, defaultGatewayCmpOpts); diff != "" { t.Error("Unexpected Gateways (-want, +got):", diff) @@ -800,6 +800,7 @@ func TestMakeIngressTLSGateways(t *testing.T) { cases := []struct { name string ia *v1alpha1.Ingress + visibility v1alpha1.IngressVisibility originSecrets map[string]*corev1.Secret gatewayService *corev1.Service want []*v1beta1.Gateway @@ -807,6 +808,7 @@ func TestMakeIngressTLSGateways(t *testing.T) { }{{ name: "happy path: secret namespace is the different from the gateway service namespace", ia: &ingressResource, + visibility: v1alpha1.IngressVisibilityExternalIP, originSecrets: originSecrets, gatewayService: &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -849,6 +851,7 @@ func TestMakeIngressTLSGateways(t *testing.T) { name: "happy path: secret namespace is the same as the gateway service namespace", ia: &ingressResource, originSecrets: originSecrets, + visibility: v1alpha1.IngressVisibilityExternalIP, // The namespace of gateway service is the same as the secrets. gatewayService: &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -887,10 +890,57 @@ func TestMakeIngressTLSGateways(t *testing.T) { }}, }, }}, + }, { + name: "happy path with cluster-local visibility", + ia: func() *v1alpha1.Ingress { + ing := ingressResource.DeepCopy() + ing.Spec.Rules[0].Visibility = v1alpha1.IngressVisibilityClusterLocal + return ing + }(), + visibility: v1alpha1.IngressVisibilityClusterLocal, + originSecrets: originSecrets, + gatewayService: &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "istio-ingressgateway", + Namespace: "istio-system", + }, + Spec: corev1.ServiceSpec{ + Selector: selector, + }, + }, + want: []*v1beta1.Gateway{{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("ingress-%d", adler32.Checksum([]byte("istio-system/istio-ingressgateway-local"))), + Namespace: "test-ns", + OwnerReferences: []metav1.OwnerReference{*kmeta.NewControllerRef(&ingressResource)}, + Labels: map[string]string{ + networking.IngressLabelKey: "ingress", + }, + }, + Spec: istiov1beta1.Gateway{ + Selector: selector, + Servers: []*istiov1beta1.Server{{ + Hosts: []string{"host1.example.com"}, + Port: &istiov1beta1.Port{ + Name: "test-ns/ingress:0", + Number: 443, + Protocol: "HTTPS", + }, + Tls: &istiov1beta1.ServerTLSSettings{ + Mode: istiov1beta1.ServerTLSSettings_SIMPLE, + ServerCertificate: corev1.TLSCertKey, + PrivateKey: corev1.TLSPrivateKeyKey, + CredentialName: targetSecret(&secret, &ingressResource), + MinProtocolVersion: istiov1beta1.ServerTLSSettings_TLSV1_2, + }, + }}, + }, + }}, }, { name: "ingress name has dot", ia: &ingressResourceWithDotName, + visibility: v1alpha1.IngressVisibilityExternalIP, originSecrets: originSecrets, gatewayService: &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -932,6 +982,7 @@ func TestMakeIngressTLSGateways(t *testing.T) { }, { name: "error to make gateway because of incorrect originSecrets", ia: &ingressResource, + visibility: v1alpha1.IngressVisibilityExternalIP, originSecrets: map[string]*corev1.Secret{}, gatewayService: &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -961,7 +1012,7 @@ func TestMakeIngressTLSGateways(t *testing.T) { }, }) t.Run(c.name, func(t *testing.T) { - got, err := MakeIngressTLSGateways(ctx, c.ia, c.ia.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP), c.originSecrets, svcLister) + got, err := MakeIngressTLSGateways(ctx, c.ia, c.visibility, c.ia.GetIngressTLSForVisibility(c.visibility), c.originSecrets, svcLister) if (err != nil) != c.wantErr { t.Fatalf("Test: %s; MakeIngressTLSGateways error = %v, WantErr %v", c.name, err, c.wantErr) } @@ -999,9 +1050,15 @@ func TestGatewayName(t *testing.T) { } want := fmt.Sprintf("ingress-%d", adler32.Checksum([]byte("istio-system/gateway"))) - got := GatewayName(ingress, svc) + got := GatewayName(ingress, v1alpha1.IngressVisibilityExternalIP, svc) if got != want { - t.Errorf("Unexpected gateway name. want %q, got %q", want, got) + t.Errorf("Unexpected external gateway name. want %q, got %q", want, got) + } + + want = fmt.Sprintf("ingress-%d", adler32.Checksum([]byte("istio-system/gateway-local"))) + got = GatewayName(ingress, v1alpha1.IngressVisibilityClusterLocal, svc) + if got != want { + t.Errorf("Unexpected local gateway name. want %q, got %q", want, got) } } @@ -1020,7 +1077,7 @@ func TestGatewayNameLongIngressName(t *testing.T) { } want := fmt.Sprintf("areallyverylongdomainnamethatexcd8923dee789a086a0ac4-%d", adler32.Checksum([]byte("istio-system/gateway"))) - got := GatewayName(ingress, svc) + got := GatewayName(ingress, "", svc) if got != want { t.Errorf("Unexpected gateway name. want %q, got %q", want, got) } diff --git a/pkg/reconciler/ingress/resources/secret.go b/pkg/reconciler/ingress/resources/secret.go index ae05bca224..1ebcb9c368 100644 --- a/pkg/reconciler/ingress/resources/secret.go +++ b/pkg/reconciler/ingress/resources/secret.go @@ -33,11 +33,11 @@ import ( "knative.dev/pkg/tracker" ) -// GetSecrets gets the all of the secrets referenced by the given Ingress, and -// returns a map whose key is the a secret namespace/name key and value is pointer of the secret. -func GetSecrets(ing *v1alpha1.Ingress, secretLister corev1listers.SecretLister) (map[string]*corev1.Secret, error) { +// GetSecrets gets the all the secrets referenced by the given Ingress and visibility. +// Returns a map whose key is the secret namespace/name key and value is pointer of the secret. +func GetSecrets(ing *v1alpha1.Ingress, visibility v1alpha1.IngressVisibility, secretLister corev1listers.SecretLister) (map[string]*corev1.Secret, error) { secrets := map[string]*corev1.Secret{} - for _, tls := range ing.GetIngressTLSForVisibility(v1alpha1.IngressVisibilityExternalIP) { + for _, tls := range ing.GetIngressTLSForVisibility(visibility) { ref := secretKey(tls) if _, ok := secrets[ref]; ok { continue @@ -72,7 +72,7 @@ func MakeSecrets(ctx context.Context, originSecrets map[string]*corev1.Secret, a return secrets, nil } -// MakeWildcardSecrets copies wildcard certificates from origin namespace to the namespace of gateway servicess so they could +// MakeWildcardSecrets copies wildcard certificates from origin namespace to the namespace of gateway services, so they can be // consumed by Istio ingress. func MakeWildcardSecrets(ctx context.Context, originWildcardCerts map[string]*corev1.Secret) ([]*corev1.Secret, error) { nameNamespaces, err := GetIngressGatewaySvcNameNamespaces(ctx) diff --git a/pkg/reconciler/ingress/resources/secret_test.go b/pkg/reconciler/ingress/resources/secret_test.go index e5dd1081e3..59d0db443c 100644 --- a/pkg/reconciler/ingress/resources/secret_test.go +++ b/pkg/reconciler/ingress/resources/secret_test.go @@ -114,7 +114,7 @@ func TestGetSecrets(t *testing.T) { for _, c := range cases { createSecret(c.secret) t.Run(c.name, func(t *testing.T) { - secrets, err := GetSecrets(c.ci, secretClient.Lister()) + secrets, err := GetSecrets(c.ci, v1alpha1.IngressVisibilityExternalIP, secretClient.Lister()) if (err != nil) != c.wantErr { t.Fatalf("Test: %s; GetSecrets error = %v, WantErr %v", c.name, err, c.wantErr) }