Fix for Feature/custom certs

microservices/gatewayApi/clients/kong.py

@@ -29,6 +29,9 @@ def get_service_routes (service_id):
 def get_local_certs_by_ns (ns):
     return recurse_get_records ([], "/certificates?tags=gwa.ns.%s" % ns)
 
+def get_public_certs_by_ns (ns):
+    return recurse_get_records ([], "/certificates?tags=ns.%s" % ns)
+
 def get_acls ():
     return recurse_get_records ([], "/acls")
 

microservices/gatewayApi/tests/conftest.py

@@ -66,6 +66,8 @@ def get_group_by_path(path, search_in_subgroups):
                 return {"id": "g002"}
             elif path == "/ns/mytest3":
                 return {"id": "g003"}
+            elif path == "/ns/customcert":
+                return {"id": "g004"}
             else:
                 return {"id": "g001"}
         def get_group(id):
@@ -91,6 +93,12 @@ def get_group(id):
                         "perm-domains": [ ".api.gov.bc.ca", ".cluster.local" ]
                     }
                 }
+            elif id == "g004":
+                return {
+                    "attributes": {
+                        "perm-domains": [ ".api.gov.bc.ca", ".custom.gov.bc.ca" ]
+                    }
+                }
 
     mocker.patch("v2.services.namespaces.admin_api", return_value=mock_kc_admin)
 
@@ -115,14 +123,35 @@ def json():
             return Response
         elif (path == 'http://kong/certificates?tags=gwa.ns.mytest' or
               path == 'http://kong/certificates?tags=gwa.ns.sescookie' or
-              path == 'http://kong/certificates?tags=gwa.ns.dclass'):
+              path == 'http://kong/certificates?tags=gwa.ns.dclass' or
+              path == 'http://kong/certificates?tags=gwa.ns.customcert'):
             class Response:
                 def json():
                     return {
                         "data": [],
                         "next": None
                     }
             return Response
+        elif (path == 'http://kong/certificates?tags=ns.customcert'):
+            class Response:
+                def json():
+                    return {
+                        "next": None,
+                        "data": [
+                            {
+                                "id": "41d14845-669f-4dcd-aff2-926fb32a4b25",
+                                "snis": [
+                                    "test.custom.gov.bc.ca"
+                                ],
+                                "tags": [
+                                    "ns.customcert",
+                                ],
+                                "cert": "CERT",
+                                "key": "KEY"
+                            }
+                        ]
+                    }
+            return Response
 
         else:
             raise Exception(path)
@@ -180,7 +209,8 @@ class Response:
                     "aps.route.dataclass.high": [],
                     "aps.route.dataclass.public": []
                 }, 
-                'select_tag': 'ns.sescookie.dev'
+                'select_tag': 'ns.sescookie.dev',
+                'certificates': []
             }
 
             assert json.dumps(kwargs['json'], sort_keys=True) == json.dumps(matched, sort_keys=True)
@@ -198,7 +228,39 @@ class Response:
                     "aps.route.dataclass.high": ['myapi.api.gov.bc.ca'],
                     "aps.route.dataclass.public": []
                 }, 
-                'select_tag': 'ns.dclass.dev'
+                'select_tag': 'ns.dclass.dev',
+                'certificates': []
+            }
+
+            assert json.dumps(kwargs['json'], sort_keys=True) == json.dumps(matched, sort_keys=True)
+            return Response
+        elif (url == 'http://kube-api/namespaces/customcert/routes'):
+            class Response:
+                status_code = 201
+            matched = {
+                'hosts': ['test.custom.gov.bc.ca'], 
+                'ns_attributes': {'perm-domains': ['.api.gov.bc.ca', '.custom.gov.bc.ca']}, 
+                'overrides': {
+                    'aps.route.session.cookie.enabled': [],
+                    "aps.route.dataclass.low": [],
+                    "aps.route.dataclass.medium": [],
+                    "aps.route.dataclass.high": [],
+                    "aps.route.dataclass.public": []
+                }, 
+                'select_tag': 'ns.customcert',
+                'certificates': [
+                    {
+                        "id": "41d14845-669f-4dcd-aff2-926fb32a4b25",
+                        "snis": [
+                            "test.custom.gov.bc.ca"
+                        ],
+                        "tags": [
+                            "ns.customcert",
+                        ],
+                        "cert": "CERT",
+                        "key": "KEY"
+                    }
+                ]
             }
 
             assert json.dumps(kwargs['json'], sort_keys=True) == json.dumps(matched, sort_keys=True)
@@ -213,24 +275,16 @@ class Response:
             raise Exception(url)
 
     def mock_requests_get(self, url, **kwards):
-        if (url == 'http://kube-api/namespaces/mytest/local_tls'):
-            class Response:
-                status_code = 200
-                def json():
-                    return {}
-            return Response
-        elif (url == 'http://kube-api/namespaces/sescookie/local_tls'):
-            class Response:
-                status_code = 200
-                def json():
-                    return {}
-            return Response
-        elif (url == 'http://kube-api/namespaces/dclass/local_tls'):
+        if (url == 'http://kube-api/namespaces/mytest/local_tls' or
+            url == 'http://kube-api/namespaces/sescookie/local_tls' or
+            url == 'http://kube-api/namespaces/dclass/local_tls' or
+            url == 'http://kube-api/namespaces/customcert/local_tls'):
             class Response:
                 status_code = 200
                 def json():
                     return {}
             return Response
+
         else:
             raise Exception(url)
 

microservices/gatewayApi/tests/routes/v2/test_gateway.py

@@ -121,6 +121,31 @@ def test_happy_with_data_class_gateway_call(client):
     assert response.status_code == 200
     assert json.dumps(response.json) == '{"message": "Sync successful.", "results": "Deck reported no changes"}'
 
+def test_happy_with_custom_domain_gateway_call(client):
+    configFile = '''
+        services:
+        - name: my-service
+          host: myupstream.local
+          ca_certificates: [ "0000-0000-0000-0000" ]
+          certificate: "41d14845-669f-4dcd-aff2-926fb32a4b25"
+          tags: ["ns.customcert"]
+          routes:
+          - name: route-1
+            hosts: [ test.custom.gov.bc.ca ]
+            tags: ["ns.customcert"]
+            plugins:
+            - name: acl-auth
+              tags: ["ns.customcert"]
+        '''
+
+    data={
+        "configFile": configFile,
+        "dryRun": False
+    }
+    response = client.put('/v2/namespaces/customcert/gateway', json=data)
+    assert response.status_code == 200
+    assert json.dumps(response.json) == '{"message": "Sync successful.", "results": "Deck reported no changes"}'
+
 def test_success_mtls_reference(client):
     configFile = '''
         services:

microservices/gatewayApi/v2/routes/gateway.py

@@ -17,7 +17,7 @@
 from v2.services.namespaces import NamespaceService
 
 from clients.portal import record_gateway_event
-from clients.kong import get_routes, register_kong_certs
+from clients.kong import get_routes, register_kong_certs, get_public_certs_by_ns
 from clients.ocp_gateway_secret import prep_submitted_config
 from utils.validators import host_valid, validate_upstream
 from utils.transforms import plugins_transformations
@@ -330,6 +330,15 @@ def write_config(namespace: str) -> object:
         try:
             if update_routes_flag:
                 host_list = get_host_list(tempFolder)
+                certs = []
+                custom_domain_in_host_list = False
+                for host in host_list:
+                    if is_host_custom_domain(host):
+                        custom_domain_in_host_list = True
+                        break
+                if custom_domain_in_host_list:
+                    certs = get_public_certs_by_ns(namespace)
+                    log.debug("[%s] Found %d certs in namespace" % (namespace, len(certs)))
                 session = requests.Session()
                 session.headers.update({"Content-Type": "application/json"})
                 route_payload = {
@@ -342,9 +351,17 @@ def write_config(namespace: str) -> object:
                         "aps.route.dataclass.medium": get_route_overrides(tempFolder, "aps.route.dataclass.medium"),
                         "aps.route.dataclass.high": get_route_overrides(tempFolder, "aps.route.dataclass.high"),
                         "aps.route.dataclass.public": get_route_overrides(tempFolder, "aps.route.dataclass.public"),
-                    }
+                    },
+                    "certificates": certs
                 }
-                log.debug("[%s] - Initiating request to kube API %s" % (dp, route_payload))
+                # Create a copy without certificates for logging
+                route_payload_log = {
+                    "hosts": host_list,
+                    "select_tag": selectTag,
+                    "ns_attributes": ns_attributes.getAttrs(),
+                    "overrides": route_payload["overrides"]
+                }
+                log.debug("[%s] - Initiating request to kube API %s" % (dp, route_payload_log))
                 rqst_url = app.config['data_planes'][dp]["kube-api"]
                 res = session.put(rqst_url + "/namespaces/%s/routes" % namespace, json=route_payload, auth=(
                     app.config['kubeApiCreds']['kubeApiUser'], app.config['kubeApiCreds']['kubeApiPass']))
@@ -469,6 +486,8 @@ def host_transformation(namespace, data_plane, yaml):
                         for host in route['hosts']:
                             if is_host_local(host):
                                 new_hosts.append(transform_local_host(data_plane, host))
+                            elif is_host_custom_domain(host):
+                                new_hosts.append(host)
                             elif is_host_transform_enabled():
                                 new_hosts.append(transform_host(host))
                                 transforms = transforms + 1
@@ -477,10 +496,32 @@ def host_transformation(namespace, data_plane, yaml):
                         route['hosts'] = new_hosts
     log.debug("[%s] Host transformations %d" % (namespace, transforms))
 
-def is_host_local (host):
+def is_host_local(host):
     return host.endswith(".cluster.local")
 
-def has_namespace_local_host_permission (ns_attributes):
+def is_host_custom_domain(host):
+    log = app.logger
+
+    non_custom_suffixes = [
+        '.cluster.local', 
+        '.api.gov.bc.ca', 
+        '.data.gov.bc.ca', 
+        '.maps.gov.bc.ca', 
+        '.openmaps.gov.bc.ca',
+        '.apps.gov.bc.ca',
+        '.apis.gov.bc.ca',
+        '.test'
+    ]
+
+    # Check if the host is one of the standard cert domains or a subdomain of them
+    for suffix in non_custom_suffixes:
+        if host == suffix[1:] or host.endswith(suffix):
+            return False
+
+    log.debug("Host %s is custom" % (host))
+    return True
+
+def has_namespace_local_host_permission(ns_attributes):
     for domain in ns_attributes.get('perm-domains', ['.api.gov.bc.ca']):
         if is_host_local(domain):
             return True
@@ -499,7 +540,7 @@ def transform_local_host(data_plane, host):
     return "gw-%s.%s.svc.cluster.local" % (name_part, kube_ns)
 
 def transform_host(host):
-    if is_host_local(host):
+    if is_host_local(host) or is_host_custom_domain(host):
         return host
     elif is_host_transform_enabled():
         conf = app.config['hostTransformation']