From b62721da1d5a43c4465c980b82cb5b7762528fd7 Mon Sep 17 00:00:00 2001 From: Julio Camarero Date: Mon, 9 Dec 2024 13:54:28 +0100 Subject: [PATCH] implement new resolver methods --- .../ingress/controller/controller_test.go | 8 ++++ internal/ingress/controller/store/store.go | 43 +++++++++++++++++++ internal/ingress/resolver/main.go | 6 +++ internal/ingress/resolver/main_test.go | 2 + internal/ingress/resolver/mock.go | 10 +++++ 5 files changed, 69 insertions(+) diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 9d3fea470..63deefaaa 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -121,6 +121,14 @@ func (fakeIngressStore) GetAuthCertificate(string) (*resolver.AuthSSLCert, error return nil, fmt.Errorf("test error") } +func (fakeIngressStore) GetSSLClientCert(string) (*resolver.SSLClientCert, error) { + return nil, fmt.Errorf("test error") +} + +func (fakeIngressStore) GetSSLCA(string) (*resolver.SSLCA, error) { + return nil, fmt.Errorf("test error") +} + func (fakeIngressStore) GetDefaultBackend() defaults.Backend { return defaults.Backend{} } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index d4bd6136f..360e4c0f5 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -98,6 +98,12 @@ type Storer interface { // ca.crt: contains the certificate chain used for authentication GetAuthCertificate(string) (*resolver.AuthSSLCert, error) + // GetSSLClientCert resolves a given secret name into an SSL certificate. + GetSSLClientCert(string) (*resolver.SSLClientCert, error) + + // GetSSLCA resolves a given configMap name into an SSL CA. + GetSSLCA(string) (*resolver.SSLCA, error) + // GetDefaultBackend returns the default backend configuration GetDefaultBackend() defaults.Backend @@ -1156,6 +1162,43 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error }, nil } +// GetSSLClientCert is used by the proxy-ssl annotations to get a cert from a secret +func (s *k8sStore) GetSSLClientCert(name string) (*resolver.SSLClientCert, error) { + if _, err := s.GetLocalSSLCert(name); err != nil { + s.syncClientCertSecret(name) + } + + cert, err := s.GetLocalSSLCert(name) + if err != nil { + return nil, err + } + + return &resolver.SSLClientCert{ + Secret: name, + PemFileName: cert.PemFileName, + }, nil +} + +// GetSSLCA is used by the proxy-ssl annotations to get a ca from a configmap +func (s *k8sStore) GetSSLCA(configMapName string) (*resolver.SSLCA, error) { + if _, err := s.GetLocalSSLCert(configMapName); err != nil { + s.syncCAConfigMap(configMapName) + } + + cert, err := s.GetLocalSSLCert(configMapName) + if err != nil { + return nil, err + } + + return &resolver.SSLCA{ + ConfigMap: configMapName, + CAFileName: cert.CAFileName, + CASHA: cert.CASHA, + CRLFileName: cert.CRLFileName, + CRLSHA: cert.CRLSHA, + }, nil +} + func (s *k8sStore) writeSSLSessionTicketKey(cmap *corev1.ConfigMap, fileName string) { ticketString := ngx_template.ReadConfig(cmap.Data).SSLSessionTicketKey s.backendConfig.SSLSessionTicketKey = "" diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go index 37973f66b..ca968ae71 100644 --- a/internal/ingress/resolver/main.go +++ b/internal/ingress/resolver/main.go @@ -42,6 +42,12 @@ type Resolver interface { // ca.crl: contains the revocation list used for authentication GetAuthCertificate(string) (*AuthSSLCert, error) + // GetSSLClientCert resolves a given secret name into an SSL certificate. + GetSSLClientCert(string) (*SSLClientCert, error) + + // GetSSLCA resolves a given configMap name into an SSL CA. + GetSSLCA(string) (*SSLCA, error) + // GetService searches for services containing the namespace and name using the character / GetService(string) (*apiv1.Service, error) } diff --git a/internal/ingress/resolver/main_test.go b/internal/ingress/resolver/main_test.go index 044351310..dce274914 100644 --- a/internal/ingress/resolver/main_test.go +++ b/internal/ingress/resolver/main_test.go @@ -58,3 +58,5 @@ func TestAuthSSLCertEqual(t *testing.T) { } } } + +// TODO : implement tests for GetSSLClientCert and GetSSLCA diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 3abfe7eda..ec324c7ae 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -60,6 +60,16 @@ func (m Mock) GetAuthCertificate(string) (*AuthSSLCert, error) { return nil, nil } +// GetSSLClientCert resolves a given secret name into an SSL certificate. +func (m Mock) GetSSLClientCert(string) (*SSLClientCert, error) { + return nil, nil +} + +// GetSSLCA resolves a given configMap name into an SSL CA. +func (m Mock) GetSSLCA(string) (*SSLCA, error) { + return nil, nil +} + // GetService searches for services containing the namespace and name using the character / func (m Mock) GetService(string) (*apiv1.Service, error) { return nil, nil