diff --git a/pkg/apis/networking/register.go b/pkg/apis/networking/register.go index e88e9b5c0..4a7a82bc4 100644 --- a/pkg/apis/networking/register.go +++ b/pkg/apis/networking/register.go @@ -119,6 +119,10 @@ const ( // already using labels for domain, it probably best to keep this // consistent. VisibilityLabelKey = PublicGroupName + "/visibility" + + // CertificateTypeLabelKey is the label to indicate the type of Knative certificate + // used for Knative Serving encryption functionality. + CertificateTypeLabelKey = PublicGroupName + "/certificate-type" ) // Pseudo-constants diff --git a/pkg/apis/networking/v1alpha1/ingress_helpers.go b/pkg/apis/networking/v1alpha1/ingress_helpers.go new file mode 100644 index 000000000..e8ea7c17b --- /dev/null +++ b/pkg/apis/networking/v1alpha1/ingress_helpers.go @@ -0,0 +1,47 @@ +/* +Copyright 2023 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" +) + +// GetIngressTLSForVisibility returns a list of `Spec.TLS` where the `Hosts` field matches +// to `Spec.Rules.Hosts` and where the Rules have the defined ingress visibility. +// This method can be used in net-* implementations to select the correct `IngressTLS` entries +// for cluster-local and cluster-external gateways/listeners. +func (i *Ingress) GetIngressTLSForVisibility(visibility IngressVisibility) []IngressTLS { + ingressTLS := make([]IngressTLS, 0, len(i.Spec.TLS)) + + if i.Spec.TLS == nil || len(i.Spec.TLS) == 0 { + return ingressTLS + } + + for _, r := range i.Spec.Rules { + if r.Visibility == visibility { + for _, t := range i.Spec.TLS { + // Check if hosts slices are equal ignoring the order + if cmp.Diff(r.Hosts, t.Hosts, cmpopts.SortSlices(func(a, b string) bool { return a < b })) == "" { + ingressTLS = append(ingressTLS, t) + } + } + } + } + + return ingressTLS +} diff --git a/pkg/apis/networking/v1alpha1/ingress_helpers_test.go b/pkg/apis/networking/v1alpha1/ingress_helpers_test.go new file mode 100644 index 000000000..abd138f16 --- /dev/null +++ b/pkg/apis/networking/v1alpha1/ingress_helpers_test.go @@ -0,0 +1,149 @@ +/* +Copyright 2023 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "testing" + + "github.com/google/go-cmp/cmp" +) + +var ( + hosts = []string{"foo", "bar", "foo.bar"} +) + +func TestGetIngressTLSForVisibility(t *testing.T) { + tests := []struct { + name string + visibility IngressVisibility + ingress *Ingress + want []IngressTLS + }{{ + name: "no TLS entries", + visibility: IngressVisibilityClusterLocal, + ingress: &Ingress{ + Spec: IngressSpec{ + Rules: []IngressRule{ + { + Hosts: hosts, + Visibility: IngressVisibilityClusterLocal, + }, + { + Hosts: []string{"other", "entries"}, + Visibility: IngressVisibilityExternalIP, + }, + }, + TLS: make([]IngressTLS, 0), + }, + }, + want: make([]IngressTLS, 0), + }, { + name: "no matching entries", + visibility: IngressVisibilityClusterLocal, + ingress: &Ingress{ + Spec: IngressSpec{ + Rules: []IngressRule{ + { + Hosts: hosts, + Visibility: IngressVisibilityClusterLocal, + }, + { + Hosts: []string{"other", "entries"}, + Visibility: IngressVisibilityExternalIP, + }, + }, + TLS: []IngressTLS{ + {Hosts: []string{"something", "else"}}, + }, + }, + }, + want: make([]IngressTLS, 0), + }, { + name: "matching cluster-local entries", + visibility: IngressVisibilityClusterLocal, + ingress: &Ingress{ + Spec: IngressSpec{ + Rules: []IngressRule{ + { + Hosts: hosts, + Visibility: IngressVisibilityClusterLocal, + }, + { + Hosts: []string{"other", "entries"}, + Visibility: IngressVisibilityExternalIP, + }, + }, + TLS: []IngressTLS{ + {Hosts: hosts}, + }, + }, + }, + want: []IngressTLS{{Hosts: hosts}}, + }, { + name: "matching external-ip entries", + visibility: IngressVisibilityExternalIP, + ingress: &Ingress{ + Spec: IngressSpec{ + Rules: []IngressRule{ + { + Hosts: hosts, + Visibility: IngressVisibilityExternalIP, + }, + { + Hosts: []string{"other", "entries"}, + Visibility: IngressVisibilityClusterLocal, + }, + }, + TLS: []IngressTLS{ + {Hosts: hosts}, + }, + }, + }, + want: []IngressTLS{{Hosts: hosts}}, + }, { + name: "matching entries with different visibility", + visibility: IngressVisibilityClusterLocal, + ingress: &Ingress{ + Spec: IngressSpec{ + Rules: []IngressRule{ + { + Hosts: hosts, + Visibility: IngressVisibilityExternalIP, + }, + { + Hosts: []string{"other", "entries"}, + Visibility: IngressVisibilityClusterLocal, + }, + }, + TLS: []IngressTLS{ + {Hosts: hosts}, + }, + }, + }, + want: make([]IngressTLS, 0), + }} + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + got := test.ingress.GetIngressTLSForVisibility(test.visibility) + + if !cmp.Equal(test.want, got) { + t.Errorf("GetIngressTLSForVisibility (-want, +got) = \n%s", cmp.Diff(test.want, got)) + } + }) + } +} diff --git a/pkg/config/config.go b/pkg/config/config.go index 028937067..b9fca8585 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -67,12 +67,6 @@ const ( // Certificate reconciler. CertManagerCertificateClassName = "cert-manager.certificate.networking.knative.dev" - // ServingInternalCertName is the name of secret contains certificates in serving - // system namespace. - // - // Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead. - ServingInternalCertName = "knative-serving-certs" - // ServingRoutingCertName is the name of secret contains certificates for Routing data in serving // system namespace. (Used by Ingress GWs and Activator) ServingRoutingCertName = "routing-serving-certs" @@ -148,6 +142,20 @@ const ( SystemInternalTLSKey = "system-internal-tls" ) +// CertificateType indicates the type of Knative Certificate. +type CertificateType string + +const ( + // CertificateSystemInternal defines a certificate used for `system-internal-tls`. + CertificateSystemInternal CertificateType = "system-internal" + + // CertificateClusterLocalDomain defines a certificate used for `cluster-local-domain-tls`. + CertificateClusterLocalDomain CertificateType = "cluster-local-domain" + + // CertificateExternalDomain defines a cerificate used for `external-domain-tls`. + CertificateExternalDomain CertificateType = "external-domain" +) + // EncryptionConfig indicates the encryption configuration // used for TLS connections. type EncryptionConfig string