--default-ssl-certificate flag for via CRD

api/v1alpha1/nginxingresscontroller_types.go

@@ -50,6 +50,28 @@ type NginxIngressControllerSpec struct {
 	// will be from the Azure LoadBalancer annotations here https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations
 	// +optional
 	LoadBalancerAnnotations map[string]string `json:"loadBalancerAnnotations,omitempty"`
+
+	// DefaultSSLCertificate is a struct with a secret with the fields namespace and name which is used to create the ssl certificate used by the default HTTPS server
+	// +optional
+	DefaultSSLCertificate DefaultSSLCertificate `json:"defaultSSLCertificate,omitempty"`
+}
+
+type DefaultSSLCertificate struct {
+	// Secret is a struct that holds the name and namespace fields used for the default ssl secret
+	// +optional
+	Secret Secret `json:"secret"`
+}
+
+type Secret struct {
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-z0-9][-a-z0-9\.]*[a-z0-9]$`
+	Name string `json:"secretName"`
+
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-z0-9][-a-z0-9\.]*[a-z0-9]$`
+	Namespace string `json:"secretNamespace"`
 }
 
 // NginxIngressControllerStatus defines the observed state of NginxIngressController

config/crd/bases/approuting.kubernetes.azure.com_nginxingresscontrollers.yaml

@@ -61,6 +61,30 @@ spec:
                 x-kubernetes-validations:
                 - message: Value is immutable
                   rule: self == oldSelf
+              defaultSSLCertificate:
+                description: DefaultSSLCertificate is a struct with a secret with
+                  the fields namespace and name which is used to create the ssl certificate
+                  used by the default HTTPS server
+                properties:
+                  secret:
+                    description: Secret is a struct that holds the name and namespace
+                      fields used for the default ssl secret
+                    properties:
+                      secretName:
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9][-a-z0-9\.]*[a-z0-9]$
+                        type: string
+                      secretNamespace:
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9][-a-z0-9\.]*[a-z0-9]$
+                        type: string
+                    required:
+                    - secretName
+                    - secretNamespace
+                    type: object
+                type: object
               ingressClassName:
                 default: nginx.approuting.kubernetes.azure.com
                 description: IngressClassName is the name of the IngressClass that

go.mod

@@ -15,7 +15,6 @@ require (
 	github.com/prometheus/common v0.44.0
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.25.0
-	gomodules.xyz/jsonpatch/v2 v2.4.0
 	k8s.io/api v0.28.1
 	k8s.io/apiextensions-apiserver v0.28.1
 	k8s.io/apimachinery v0.28.1
@@ -73,6 +72,7 @@ require (
 	golang.org/x/term v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

pkg/controller/nginxingress/nginx_ingress_controller.go

@@ -148,6 +148,13 @@ func (n *nginxIngressControllerReconciler) Reconcile(ctx context.Context, req ct
 	controllerDeployment = resources.Deployment
 	ingressClass = resources.IngressClass
 
+	if &nginxIngressController.Spec.DefaultSSLCertificate != nil {
+		lgr.Info("validating default ssl certificate secret")
+		if !manifests.IsValidDefaultSSLCertSecret(&nginxIngressController.Spec.DefaultSSLCertificate) {
+			lgr.Info("Field in DefaultSSLCert secret is invalid or empty: default ssl cert will not be set")
+		}
+	}
+
 	lgr.Info("reconciling managed resources")
 	managedRes, err = n.ReconcileResource(ctx, &nginxIngressController, resources)
 	if err != nil {
@@ -518,12 +525,20 @@ func ToNginxIngressConfig(nic *approutingv1alpha1.NginxIngressController, defaul
 		resourceName = DefaultNicResourceName
 	}
 
-	return &manifests.NginxIngressConfig{
+	nginxIng := &manifests.NginxIngressConfig{
 		ControllerClass: cc,
 		ResourceName:    resourceName,
 		IcName:          nic.Spec.IngressClassName,
 		ServiceConfig: &manifests.ServiceConfig{
 			Annotations: nic.Spec.LoadBalancerAnnotations,
 		},
 	}
+
+	if manifests.IsValidDefaultSSLCertSecret(&nic.Spec.DefaultSSLCertificate) {
+		nginxIng.DefaultSSLCertificate = &approutingv1alpha1.DefaultSSLCertificate{
+			Secret: nic.Spec.DefaultSSLCertificate.Secret,
+		}
+	}
+
+	return nginxIng
 }

pkg/controller/nginxingress/nginx_ingress_controller_test.go

@@ -807,6 +807,12 @@ func TestIsUnreconcilableError(t *testing.T) {
 
 func TestToNginxIngressConfig(t *testing.T) {
 	defaultCc := "defaultControllerClass"
+	FakeDefaultSSLCert := approutingv1alpha1.DefaultSSLCertificate{
+		Secret: approutingv1alpha1.Secret{
+			Name:      "fakename",
+			Namespace: "fakenamespace",
+		},
+	}
 	cases := []struct {
 		name string
 		nic  *approutingv1alpha1.NginxIngressController
@@ -883,6 +889,30 @@ func TestToNginxIngressConfig(t *testing.T) {
 				IcName:          "ingressClassName",
 			},
 		},
+		{
+			name: "default controller class with DefaultSSLCertificate",
+			nic: &approutingv1alpha1.NginxIngressController{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: approutingv1alpha1.GroupVersion.String(),
+					Kind:       "NginxIngressController",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: DefaultNicName,
+				},
+				Spec: approutingv1alpha1.NginxIngressControllerSpec{
+					ControllerNamePrefix:  DefaultNicResourceName,
+					IngressClassName:      DefaultIcName,
+					DefaultSSLCertificate: FakeDefaultSSLCert,
+				},
+			},
+			want: manifests.NginxIngressConfig{
+				ControllerClass:       defaultCc,
+				ResourceName:          DefaultNicResourceName,
+				IcName:                DefaultIcName,
+				ServiceConfig:         &manifests.ServiceConfig{},
+				DefaultSSLCertificate: &FakeDefaultSSLCert,
+			},
+		},
 	}
 
 	for _, c := range cases {