From 589f4cd3f47c7e9c221f2f22937777fb77c654b5 Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Sat, 4 May 2024 12:36:25 +0200 Subject: [PATCH 1/2] test: Create failing test for Gateway TLS-listener in passthrough mode Signed-off-by: Vegard Hagen --- pkg/controller/certificate-shim/sync_test.go | 62 ++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index e3e0d6378b9..40804243247 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -2462,6 +2462,68 @@ func TestSync(t *testing.T) { }, }, }, + { + Name: "should skip TLS protocol listener in TLS passthrough mode", + Issuer: acmeIssuer, + IssuerLister: []runtime.Object{acmeIssuer}, + ExpectedEvents: []string{ + `Normal CreateCertificate Successfully created Certificate "example-com-tls"`, + }, + IngressLike: &gwapi.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "gateway-name", + Namespace: gen.DefaultTestNamespace, + Annotations: map[string]string{ + cmapi.IngressIssuerNameAnnotationKey: "issuer-name", + }, + UID: types.UID("gateway-name"), + }, + Spec: gwapi.GatewaySpec{ + GatewayClassName: "test-gateway", + Listeners: []gwapi.Listener{{ + Hostname: ptrHostname("example.com"), + Port: 443, + Protocol: gwapi.HTTPSProtocolType, + TLS: &gwapi.GatewayTLSConfig{ + Mode: ptrMode(gwapi.TLSModeTerminate), + CertificateRefs: []gwapi.SecretObjectReference{ + { + Group: func() *gwapi.Group { g := gwapi.Group("core"); return &g }(), + Kind: func() *gwapi.Kind { k := gwapi.Kind("Secret"); return &k }(), + Name: "example-com-tls", + }, + }, + }, + }, { + Hostname: ptrHostname("subdomain.example.com"), + Port: 443, + Protocol: gwapi.TLSProtocolType, + TLS: &gwapi.GatewayTLSConfig{ + Mode: ptrMode(gwapi.TLSModePassthrough), + CertificateRefs: []gwapi.SecretObjectReference{}, + }, + }}, + }, + }, + ExpectedCreate: []*cmapi.Certificate{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "example-com-tls", + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), + }, + Spec: cmapi.CertificateSpec{ + DNSNames: []string{"example.com"}, + SecretName: "example-com-tls", + Usages: cmapi.DefaultKeyUsages(), + IssuerRef: cmmeta.ObjectReference{ + Name: "issuer-name", + Kind: "Issuer", + }, + }, + }, + }, + }, { Name: "should error if the specified issuer is not found", IngressLike: &gwapi.Gateway{ From 90910d438c9dff3a67a7e640b2244602818bfefc Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Sat, 4 May 2024 12:41:04 +0200 Subject: [PATCH 2/2] fix: Skip Gateway TLS-protocol listener in TLS passthrough mode Signed-off-by: Vegard Hagen --- pkg/controller/certificate-shim/sync.go | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/pkg/controller/certificate-shim/sync.go b/pkg/controller/certificate-shim/sync.go index d3a1a49893d..5164198fe87 100644 --- a/pkg/controller/certificate-shim/sync.go +++ b/pkg/controller/certificate-shim/sync.go @@ -257,6 +257,17 @@ func validateGatewayListenerBlock(path *field.Path, l gwapi.Listener, ingLike me return errs } + if l.TLS.Mode == nil { + errs = append(errs, field.Required(path.Child("tls").Child("mode"), + "the mode field is required")) + } else if l.Protocol == gwapi.TLSProtocolType && *l.TLS.Mode == gwapi.TLSModePassthrough { + // skip TLS-listener in TLS-passthrough mode + return errs + } else if *l.TLS.Mode != gwapi.TLSModeTerminate { + errs = append(errs, field.NotSupported(path.Child("tls").Child("mode"), + *l.TLS.Mode, []string{string(gwapi.TLSModeTerminate)})) + } + if len(l.TLS.CertificateRefs) == 0 { errs = append(errs, field.Required(path.Child("tls").Child("certificateRef"), "listener has no certificateRefs")) @@ -280,14 +291,6 @@ func validateGatewayListenerBlock(path *field.Path, l gwapi.Listener, ingLike me } } - if l.TLS.Mode == nil { - errs = append(errs, field.Required(path.Child("tls").Child("mode"), - "the mode field is required")) - } else if *l.TLS.Mode != gwapi.TLSModeTerminate { - errs = append(errs, field.NotSupported(path.Child("tls").Child("mode"), - *l.TLS.Mode, []string{string(gwapi.TLSModeTerminate)})) - } - return errs }