Skip to content

Commit

Permalink
add default ssl certificate through secret configuration via CRD (Azu…
Browse files Browse the repository at this point in the history 
…re#160)
  • Loading branch information
@aamgayle
aamgayle authored Feb 2, 2024
1 parent a8edc9d commit 19d3fd0
Show file tree
Hide file tree
Showing 10 changed files with 935 additions and 17 deletions.
24 changes: 24 additions & 0 deletions api/v1alpha1/nginxingresscontroller_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,30 @@ type NginxIngressControllerSpec struct {
// will be from the Azure LoadBalancer annotations here https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations
// +optional
LoadBalancerAnnotations map[string]string `json:"loadBalancerAnnotations,omitempty"`

// DefaultSSLCertificate defines whether the NginxIngressController should use a certain SSL certificate by default.
// If this field is omitted, no default certificate will be used.
// +optional
DefaultSSLCertificate *DefaultSSLCertificate `json:"defaultSSLCertificate,omitempty"`
}

type DefaultSSLCertificate struct {
// Secret is a struct that holds the name and namespace fields used for the default ssl secret
// +optional
Secret *Secret `json:"secret,omitempty"`
}

// Secret is a struct that holds a name and namespace to be used in DefaultSSLCertificate
type Secret struct {
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Pattern=`^[a-z0-9][-a-z0-9\.]*[a-z0-9]$`
Name string `json:"name"`

// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Pattern=`^[a-z0-9][-a-z0-9\.]*[a-z0-9]$`
Namespace string `json:"namespace"`
}

// NginxIngressControllerStatus defines the observed state of NginxIngressController
Expand Down
40 changes: 40 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 24 additions & 0 deletions config/crd/bases/approuting.kubernetes.azure.com_nginxingresscontrollers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,30 @@ spec:
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
defaultSSLCertificate:
description: DefaultSSLCertificate defines whether the NginxIngressController
should use a certain SSL certificate by default. If this field is
omitted, no default certificate will be used.
properties:
secret:
description: Secret is a struct that holds the name and namespace
fields used for the default ssl secret
properties:
name:
maxLength: 253
minLength: 1
pattern: ^[a-z0-9][-a-z0-9\.]*[a-z0-9]$
type: string
namespace:
maxLength: 253
minLength: 1
pattern: ^[a-z0-9][-a-z0-9\.]*[a-z0-9]$
type: string
required:
- name
- namespace
type: object
type: object
ingressClassName:
default: nginx.approuting.kubernetes.azure.com
description: IngressClassName is the name of the IngressClass that
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ require (
github.com/prometheus/common v0.44.0
github.com/stretchr/testify v1.8.4
go.uber.org/zap v1.25.0
gomodules.xyz/jsonpatch/v2 v2.4.0
k8s.io/api v0.28.1
k8s.io/apiextensions-apiserver v0.28.1
k8s.io/apimachinery v0.28.1
Expand Down Expand Up @@ -73,6 +72,7 @@ require (
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
Expand Down
9 changes: 8 additions & 1 deletion pkg/controller/nginxingress/nginx_ingress_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -518,12 +518,19 @@ func ToNginxIngressConfig(nic *approutingv1alpha1.NginxIngressController, defaul
resourceName = DefaultNicResourceName
}

return &manifests.NginxIngressConfig{
nginxIng := &manifests.NginxIngressConfig{
ControllerClass: cc,
ResourceName: resourceName,
IcName: nic.Spec.IngressClassName,
ServiceConfig: &manifests.ServiceConfig{
Annotations: nic.Spec.LoadBalancerAnnotations,
},
}

if nic.Spec.DefaultSSLCertificate != nil &&
nic.Spec.DefaultSSLCertificate.Secret.Name != "" && nic.Spec.DefaultSSLCertificate.Secret.Namespace != "" {
nginxIng.DefaultSSLCertificate = nic.Spec.DefaultSSLCertificate.Secret.Namespace + "/" + nic.Spec.DefaultSSLCertificate.Secret.Name
}

return nginxIng
}
83 changes: 83 additions & 0 deletions pkg/controller/nginxingress/nginx_ingress_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -807,6 +807,9 @@ func TestIsUnreconcilableError(t *testing.T) {

func TestToNginxIngressConfig(t *testing.T) {
defaultCc := "defaultControllerClass"
FakeDefaultSSLCert := getFakeDefaultSSLCert("fake", "fakenamespace")
FakeDefaultSSLCertNoName := getFakeDefaultSSLCert("", "fakenamespace")
FakeDefaultSSLCertNoNamespace := getFakeDefaultSSLCert("fake", "")
cases := []struct {
name string
nic *approutingv1alpha1.NginxIngressController
Expand Down Expand Up @@ -883,6 +886,76 @@ func TestToNginxIngressConfig(t *testing.T) {
IcName: "ingressClassName",
},
},
{
name: "default controller class with DefaultSSLCertificate",
nic: &approutingv1alpha1.NginxIngressController{
TypeMeta: metav1.TypeMeta{
APIVersion: approutingv1alpha1.GroupVersion.String(),
Kind: "NginxIngressController",
},
ObjectMeta: metav1.ObjectMeta{
Name: DefaultNicName,
},
Spec: approutingv1alpha1.NginxIngressControllerSpec{
ControllerNamePrefix: DefaultNicResourceName,
IngressClassName: DefaultIcName,
DefaultSSLCertificate: FakeDefaultSSLCert,
},
},
want: manifests.NginxIngressConfig{
ControllerClass: defaultCc,
ResourceName: DefaultNicResourceName,
IcName: DefaultIcName,
ServiceConfig: &manifests.ServiceConfig{},
DefaultSSLCertificate: FakeDefaultSSLCert.Secret.Namespace + "/" + FakeDefaultSSLCert.Secret.Name,
},
},
{
name: "default controller class with DefaultSSLCertificate with no name",
nic: &approutingv1alpha1.NginxIngressController{
TypeMeta: metav1.TypeMeta{
APIVersion: approutingv1alpha1.GroupVersion.String(),
Kind: "NginxIngressController",
},
ObjectMeta: metav1.ObjectMeta{
Name: DefaultNicName,
},
Spec: approutingv1alpha1.NginxIngressControllerSpec{
ControllerNamePrefix: DefaultNicResourceName,
IngressClassName: DefaultIcName,
DefaultSSLCertificate: FakeDefaultSSLCertNoName,
},
},
want: manifests.NginxIngressConfig{
ControllerClass: defaultCc,
ResourceName: DefaultNicResourceName,
IcName: DefaultIcName,
ServiceConfig: &manifests.ServiceConfig{},
},
},
{
name: "default controller class with DefaultSSLCertificate with no namespace",
nic: &approutingv1alpha1.NginxIngressController{
TypeMeta: metav1.TypeMeta{
APIVersion: approutingv1alpha1.GroupVersion.String(),
Kind: "NginxIngressController",
},
ObjectMeta: metav1.ObjectMeta{
Name: DefaultNicName,
},
Spec: approutingv1alpha1.NginxIngressControllerSpec{
ControllerNamePrefix: DefaultNicResourceName,
IngressClassName: DefaultIcName,
DefaultSSLCertificate: FakeDefaultSSLCertNoNamespace,
},
},
want: manifests.NginxIngressConfig{
ControllerClass: defaultCc,
ResourceName: DefaultNicResourceName,
IcName: DefaultIcName,
ServiceConfig: &manifests.ServiceConfig{},
},
},
}

for _, c := range cases {
Expand All @@ -892,3 +965,13 @@ func TestToNginxIngressConfig(t *testing.T) {
})
}
}

func getFakeDefaultSSLCert(name, namespace string) *approutingv1alpha1.DefaultSSLCertificate {
fakecert := &approutingv1alpha1.DefaultSSLCertificate{
Secret: &approutingv1alpha1.Secret{
Name: name,
Namespace: namespace,
},
}
return fakecert
}
Loading

0 comments on commit 19d3fd0

Please sign in to comment.