diff --git a/docs/operator_guide.md b/docs/operator_guide.md index 135e3c68..d3d3b5b4 100644 --- a/docs/operator_guide.md +++ b/docs/operator_guide.md @@ -151,6 +151,7 @@ Used to configure how the ingress will be annotated for issuing a TLS certificat * `tls-certificate-issuer` sets the _value_ of the annotation, for example to decide between production and staging versions of an issuer in different namespaces * `tls-certificate-issuer-type-default` sets the default for the _key_ of the annotation, for example to use either `certmanager.k8s.io/cluster-issuer` (the default) or `certmanager.k8s.io/issuer` * `tls-certificate-issuer-type-overrides` allows specifying a mapping between the suffix of a domain and the issuer-type, to override the default. For example, assuming the 'cluster-issuer' type as the default, then specifying `--tls-certificate-issuer-type-overrides foo.example.com=certmanager.k8s.io/issuer` would mean that foo.example.com and any of its subdomains will use the 'issuer' type instead. In the case of multiple matching suffixes, the more specific (i.e. longest) will be used. +* `tls-certificate-issuer-overrides` allows specifying a mapping between the suffix of a domain and the issuer-name, to override the default. For example, assuming the 'letsencrypt' issuer name as the default, then specifying `--tls-certificate-issuer-type-overrides foo.example.com=issuer-2` would mean that foo.example.com and any of its subdomains will use the 'issuer-2' as issuer name instead. In the case of multiple matching suffixes, the more specific (i.e. longest) will be used. ### use-in-memory-emptydirs diff --git a/fiaas_deploy_daemon/config.py b/fiaas_deploy_daemon/config.py index c13ca7f8..deb85a14 100644 --- a/fiaas_deploy_daemon/config.py +++ b/fiaas_deploy_daemon/config.py @@ -370,6 +370,14 @@ def _parse_args(self, args): help="Certificate issuer to use with cert-manager to provision certificates", default=None, ) + tls_parser.add_argument( + "--tls-certificate-issuer-overrides", + help="Issuers name to use for specified domain suffixes", + default=[], + action="append", + type=KeyValue, + dest="tls_certificate_issuer_overrides", + ) tls_parser.add_argument( "--tls-certificate-issuer-type-default", help="The annotation to set for cert-manager to provision certificates", @@ -394,6 +402,9 @@ def _parse_args(self, args): self.tls_certificate_issuer_type_overrides = { issuer_type.key: issuer_type.value for issuer_type in self.tls_certificate_issuer_type_overrides } + self.tls_certificate_issuer_overrides = { + issuer_name.key: issuer_name.value for issuer_name in self.tls_certificate_issuer_overrides + } def _resolve_env(self): image = os.getenv("IMAGE") diff --git a/fiaas_deploy_daemon/deployer/kubernetes/ingress.py b/fiaas_deploy_daemon/deployer/kubernetes/ingress.py index aa5bd6bf..dcad94bd 100644 --- a/fiaas_deploy_daemon/deployer/kubernetes/ingress.py +++ b/fiaas_deploy_daemon/deployer/kubernetes/ingress.py @@ -34,10 +34,14 @@ def __init__(self, config, default_app_spec, ingress_adapter): self._ingress_suffixes = config.ingress_suffixes self._host_rewrite_rules = config.host_rewrite_rules self._ingress_adapter = ingress_adapter - self._tls_issuer_type_default = config.tls_certificate_issuer_type_default + self._tls_issuer_overrides = sorted( + iter(config.tls_certificate_issuer_overrides.items()), key=lambda k_v: len(k_v[0]), reverse=True + ) self._tls_issuer_type_overrides = sorted( iter(config.tls_certificate_issuer_type_overrides.items()), key=lambda k_v: len(k_v[0]), reverse=True ) + self._tls_issuer_type_default = self._get_issuer_type_default_ingress(config) + self._tls_issuer_name_default = config.tls_certificate_issuer def deploy(self, app_spec, labels): if self._should_have_ingress(app_spec): @@ -96,13 +100,39 @@ def _resolve_default_path(self): default_ingress_item = next(ingress_item for ingress_item in self._default_app_spec().ingresses) return next(pathmapping.path for pathmapping in default_ingress_item.pathmappings) + def _get_issuer_type_default_ingress(self, config): + for ingress_suffix in self._ingress_suffixes: + for (suffix, issuer_type) in self._tls_issuer_type_overrides: + if ingress_suffix and (ingress_suffix == suffix or ingress_suffix.endswith("." + suffix)): + return issuer_type + + return config.tls_certificate_issuer_type_default + + def _get_issuer_name_default_ingress(self, app_spec): + for ingress_suffix in self._ingress_suffixes: + if ingress_suffix: + for (suffix, issuer_name) in self._tls_issuer_overrides: + if ingress_suffix == suffix or ingress_suffix.endswith("." + suffix): + return issuer_name + + return app_spec.ingress_tls.certificate_issuer if app_spec.ingress_tls.certificate_issuer else self._tls_issuer_name_default + def _get_issuer_type(self, host): - for (suffix, issuer_type) in self._tls_issuer_type_overrides: - if host and (host == suffix or host.endswith("." + suffix)): - return issuer_type + if host: + for (suffix, issuer_type) in self._tls_issuer_type_overrides: + if (host == suffix or host.endswith("." + suffix)): + return issuer_type return self._tls_issuer_type_default + def _get_issuer_name(self, host, app_spec): + if host: + for (suffix, issuer_name) in self._tls_issuer_overrides: + if (host == suffix or host.endswith("." + suffix)): + return issuer_name + + return app_spec.ingress_tls.certificate_issuer if app_spec.ingress_tls.certificate_issuer else self._tls_issuer_name_default + def _group_ingresses(self, app_spec): """Group the ingresses so that those with annotations are individual, and so that those using non-default TLS-issuers are separated @@ -114,20 +144,23 @@ def _group_ingresses(self, app_spec): ingress_items += self._expand_default_hosts(app_spec) AnnotatedIngress = namedtuple( - "AnnotatedIngress", ["name", "ingress_items", "annotations", "explicit_host", "issuer_type", "default"] + "AnnotatedIngress", ["name", "ingress_items", "annotations", "explicit_host", "issuer_type", "issuer_name", "default"] ) + tls_issuer_name_default = self._get_issuer_name_default_ingress(app_spec) default_ingress = AnnotatedIngress( name=app_spec.name, ingress_items=[], annotations={}, explicit_host=explicit_host, issuer_type=self._tls_issuer_type_default, + issuer_name=tls_issuer_name_default, default=True, ) ingresses = [default_ingress] override_issuer_ingresses = {} for ingress_item in ingress_items: issuer_type = self._get_issuer_type(ingress_item.host) + issuer_name = self._get_issuer_name(ingress_item.host, app_spec) next_name = "{}-{}".format(app_spec.name, len(ingresses) + len(override_issuer_ingresses)) if ingress_item.annotations: annotated_ingresses = AnnotatedIngress( @@ -136,18 +169,20 @@ def _group_ingresses(self, app_spec): annotations=ingress_item.annotations, explicit_host=True, issuer_type=issuer_type, + issuer_name=issuer_name, default=False, ) ingresses.append(annotated_ingresses) - elif issuer_type != self._tls_issuer_type_default: + elif issuer_type != self._tls_issuer_type_default or issuer_name != tls_issuer_name_default: annotated_ingress = override_issuer_ingresses.setdefault( - issuer_type, + "{}:{}".format(issuer_type, issuer_name), AnnotatedIngress( name=next_name, ingress_items=[], annotations={}, explicit_host=explicit_host, issuer_type=issuer_type, + issuer_name=issuer_name, default=False, ), ) @@ -211,16 +246,11 @@ def __init__(self, config, ingress_tls): self.enable_deprecated_tls_entry_per_host = config.enable_deprecated_tls_entry_per_host self.ingress_tls = ingress_tls - def apply(self, ingress, app_spec, hosts, issuer_type, use_suffixes=True): + def apply(self, ingress, app_spec, hosts, issuer_type, issuer_name, use_suffixes=True): if self._should_have_ingress_tls(app_spec): tls_annotations = {} if self._cert_issuer or app_spec.ingress_tls.certificate_issuer: - issuer = ( - app_spec.ingress_tls.certificate_issuer - if app_spec.ingress_tls.certificate_issuer - else self._cert_issuer - ) - tls_annotations[issuer_type] = issuer + tls_annotations[issuer_type] = issuer_name else: tls_annotations["kubernetes.io/tls-acme"] = "true" ingress.metadata.annotations = merge_dicts( diff --git a/fiaas_deploy_daemon/deployer/kubernetes/ingress_networkingv1.py b/fiaas_deploy_daemon/deployer/kubernetes/ingress_networkingv1.py index d611f958..35efda73 100644 --- a/fiaas_deploy_daemon/deployer/kubernetes/ingress_networkingv1.py +++ b/fiaas_deploy_daemon/deployer/kubernetes/ingress_networkingv1.py @@ -69,7 +69,7 @@ def create_ingress(self, app_spec, annotated_ingress, labels): hosts_for_tls = [rule.host for rule in per_host_ingress_rules] self._ingress_tls_deployer.apply( - ingress, app_spec, hosts_for_tls, annotated_ingress.issuer_type, use_suffixes=use_suffixes + ingress, app_spec, hosts_for_tls, annotated_ingress.issuer_type, annotated_ingress.issuer_name, use_suffixes=use_suffixes ) self._owner_references.apply(ingress, app_spec) self._extension_hook.apply(ingress, app_spec) diff --git a/fiaas_deploy_daemon/deployer/kubernetes/ingress_v1beta1.py b/fiaas_deploy_daemon/deployer/kubernetes/ingress_v1beta1.py index 01896d87..e55d6897 100644 --- a/fiaas_deploy_daemon/deployer/kubernetes/ingress_v1beta1.py +++ b/fiaas_deploy_daemon/deployer/kubernetes/ingress_v1beta1.py @@ -60,7 +60,7 @@ def create_ingress(self, app_spec, annotated_ingress, labels): hosts_for_tls = [rule.host for rule in per_host_ingress_rules] self._ingress_tls_deployer.apply( - ingress, app_spec, hosts_for_tls, annotated_ingress.issuer_type, use_suffixes=use_suffixes + ingress, app_spec, hosts_for_tls, annotated_ingress.issuer_type, annotated_ingress.issuer_name, use_suffixes=use_suffixes ) self._owner_references.apply(ingress, app_spec) self._extension_hook.apply(ingress, app_spec) diff --git a/fiaas_deploy_daemon/tools.py b/fiaas_deploy_daemon/tools.py index ae5a04fe..87a03b23 100644 --- a/fiaas_deploy_daemon/tools.py +++ b/fiaas_deploy_daemon/tools.py @@ -34,7 +34,7 @@ def log_request_response(resp, *args, **kwargs): return # k8s library already does its own dumping, we don't need to do it here log = logging.getLogger(__name__) data = dump_all(resp, "<<<", ">>>") - log.debug("Request/Response\n" + data) + log.debug("Request/Response\n" + data.decode('utf-8')) class IterableQueue(Queue, Iterator): diff --git a/fiaas_deploy_daemon/usage_reporting/dev_hose_auth.py b/fiaas_deploy_daemon/usage_reporting/dev_hose_auth.py index ca65a154..8710b978 100644 --- a/fiaas_deploy_daemon/usage_reporting/dev_hose_auth.py +++ b/fiaas_deploy_daemon/usage_reporting/dev_hose_auth.py @@ -29,13 +29,13 @@ class DevHoseAuth(AuthBase): def __init__(self, key, tenant): self._key = base64.b64decode(key.strip()) - self._auth_context = base64.b64encode(json.dumps({"type": tenant}).encode("utf-8")).decode("utf-8") + self._auth_context = base64.b64encode(json.dumps({"type": tenant}).encode("utf-8")) def __call__(self, r): timestamp = time.time() nonce = str(uuid.uuid4()) r.headers["Content-Signature"] = self._calculate_signature(r, timestamp, nonce) - r.headers["DevHose-AuthContext"] = self._auth_context + r.headers["DevHose-AuthContext"] = self._auth_context.decode("utf-8") r.headers["DevHose-Nonce"] = nonce r.headers["Date"] = email.utils.formatdate(timestamp) return r @@ -53,7 +53,7 @@ def _create_string_to_sign(self, r, timestamp, nonce): quote_plus(nonce.encode("utf-8")), str(int(timestamp) * 1000), quote_plus(self._auth_context), - quote_plus(r.body.encode("utf-8")), + quote_plus(r.body), "", ) ) diff --git a/tests/fiaas_deploy_daemon/deployer/kubernetes/test_ingress_deploy.py b/tests/fiaas_deploy_daemon/deployer/kubernetes/test_ingress_deploy.py index 91d6c4c0..094eabac 100644 --- a/tests/fiaas_deploy_daemon/deployer/kubernetes/test_ingress_deploy.py +++ b/tests/fiaas_deploy_daemon/deployer/kubernetes/test_ingress_deploy.py @@ -50,7 +50,8 @@ ANNOTATIONS = {"some/annotation": "val"} LABEL_SELECTOR_PARAMS = {"labelSelector": "app=testapp,fiaas/deployment_id,fiaas/deployment_id!=12345"} INGRESSES_URI = "/apis/extensions/v1beta1/namespaces/default/ingresses/" -DEFAULT_TLS_ISSUER = "certmanager.k8s.io/cluster-issuer" +DEFAULT_TLS_ISSUER_TYPE = "certmanager.k8s.io/cluster-issuer" +DEFAULT_TLS_ISSUER = "letsencrypt" DEFAULT_TLS_ANNOTATIONS = {"certmanager.k8s.io/cluster-issuer": "letsencrypt"} @@ -743,8 +744,10 @@ def config(self): HostRewriteRule(r"([\w\.\-]+)\.svc.test.example.com=dont-rewrite-suffix-urls.example.com"), HostRewriteRule(r"([\w\.\-]+)\.127.0.0.1.xip.io=dont-rewrite-suffix-urls.example.com"), ] - config.tls_certificate_issuer_type_default = DEFAULT_TLS_ISSUER + config.tls_certificate_issuer_type_default = DEFAULT_TLS_ISSUER_TYPE + config.tls_certificate_issuer = DEFAULT_TLS_ISSUER config.tls_certificate_issuer_type_overrides = {} + config.tls_certificate_issuer_overrides = {} return config @pytest.fixture @@ -914,21 +917,30 @@ def test_applies_ingress_tls_deployer(self, deployer, ingress_tls_deployer, app_ get_or_create.return_value = mock.create_autospec(Ingress, spec_set=True) deployer.deploy(app_spec, LABELS) ingress_tls_deployer.apply.assert_called_once_with( - TypeMatcher(Ingress), app_spec, hosts, DEFAULT_TLS_ISSUER, use_suffixes=True + TypeMatcher(Ingress), app_spec, hosts, DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, use_suffixes=True ) @pytest.fixture - def deployer_issuer_overrides(self, config, default_app_spec, ingress_adapter): + def deployer_issuer_type_overrides(self, config, default_app_spec, ingress_adapter): config.tls_certificate_issuer_type_overrides = { "foo.example.com": "certmanager.k8s.io/issuer", - "bar.example.com": "certmanager.k8s.io/cluster-issuer", - "foo.bar.example.com": "certmanager.k8s.io/issuer", + "bar.example.com": DEFAULT_TLS_ISSUER_TYPE, + "foo.bar.example.com": "certmanager.k8s.io/issuer" + } + return IngressDeployer(config, default_app_spec, ingress_adapter) + + @pytest.fixture + def deployer_issuer_overrides(self, config, default_app_spec, ingress_adapter): + config.tls_certificate_issuer_overrides = { + "foo.example.com": "issuerOne", + "bar.example.com": "issuerTwo", + "foo.bar.example.com": "issuerThree" } return IngressDeployer(config, default_app_spec, ingress_adapter) @pytest.mark.usefixtures("delete") - def test_applies_ingress_tls_deployer_issuer_overrides( - self, post, deployer_issuer_overrides, ingress_tls_deployer, app_spec + def test_applies_ingress_tls_deployer_issuer_type_overrides( + self, post, deployer_issuer_type_overrides, ingress_tls_deployer, app_spec ): with mock.patch("k8s.models.ingress.Ingress.get_or_create") as get_or_create: get_or_create.return_value = mock.create_autospec(Ingress, spec_set=True) @@ -963,7 +975,7 @@ def test_applies_ingress_tls_deployer_issuer_overrides( ), ] - deployer_issuer_overrides.deploy(app_spec, LABELS) + deployer_issuer_type_overrides.deploy(app_spec, LABELS) host_groups = [sorted(call.args[2]) for call in ingress_tls_deployer.apply.call_args_list] ingress_names = [call.kwargs["metadata"].name for call in get_or_create.call_args_list] expected_host_groups = [ @@ -982,6 +994,47 @@ def test_applies_ingress_tls_deployer_issuer_overrides( assert expected_host_groups == sorted(host_groups) assert expected_ingress_names == sorted(ingress_names) + @pytest.mark.usefixtures("delete") + def test_applies_ingress_tls_deployer_issuer_overrides(self, post, deployer_issuer_overrides, ingress_tls_deployer, app_spec): + with mock.patch("k8s.models.ingress.Ingress.get_or_create") as get_or_create: + get_or_create.return_value = mock.create_autospec(Ingress, spec_set=True) + app_spec.ingresses[:] = [ + # has issuer-override + IngressItemSpec(host="foo.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={}), + # no issuer-override + IngressItemSpec(host="bar.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={}), + IngressItemSpec(host="foo.bar.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={}), + IngressItemSpec(host="other.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={}), + # suffix has issuer-override + IngressItemSpec(host="sub.foo.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={}), + # more specific suffix has issuer-override + IngressItemSpec(host="sub.bar.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={}), + # has annotations + IngressItemSpec(host="ann.foo.example.com", pathmappings=[IngressPathMappingSpec(path="/", port=80)], + annotations={"some": "annotation"}) + ] + + deployer_issuer_overrides.deploy(app_spec, LABELS) + host_groups = [sorted(call.args[2]) for call in ingress_tls_deployer.apply.call_args_list] + ingress_names = [call.kwargs['metadata'].name for call in get_or_create.call_args_list] + expected_host_groups = [ + ["ann.foo.example.com"], + ["bar.example.com", "sub.bar.example.com"], + ["foo.bar.example.com"], + ["foo.example.com", "sub.foo.example.com"], + ["other.example.com", "testapp.127.0.0.1.xip.io", "testapp.svc.test.example.com"] + ] + expected_ingress_names = [ + "testapp", + "testapp-1", + "testapp-2", + "testapp-3", + "testapp-4" + ] + assert ingress_tls_deployer.apply.call_count == 5 + assert expected_host_groups == sorted(host_groups) + assert expected_ingress_names == sorted(ingress_names) + class TestIngressTLSDeployer(object): HOSTS = ["host1", "host2", "host3", "this.host.is.so.long.that.it.is.impossible.to.use.as.the.common.name"] @@ -1010,12 +1063,13 @@ def tls(self, request, config): return IngressTLSDeployer(config, IngressTLS) @pytest.mark.parametrize( - "tls, app_spec, spec_tls, issuer_type, tls_annotations", + "tls, app_spec, spec_tls, issuer_type, issuer_name, tls_annotations", [ ( {"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}, ), @@ -1023,6 +1077,7 @@ def tls(self, request, config): {"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=False, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1030,6 +1085,7 @@ def tls(self, request, config): {"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}, ), @@ -1037,6 +1093,7 @@ def tls(self, request, config): {"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=False, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1044,6 +1101,7 @@ def tls(self, request, config): {"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1051,6 +1109,7 @@ def tls(self, request, config): {"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=False, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1063,6 +1122,7 @@ def tls(self, request, config): app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, "overwrite-issuer", + DEFAULT_TLS_ISSUER, {"overwrite-issuer": "letsencrypt"}, ), ( @@ -1073,6 +1133,7 @@ def tls(self, request, config): }, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, DEFAULT_TLS_ANNOTATIONS, ), @@ -1084,20 +1145,23 @@ def tls(self, request, config): }, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer="myoverwrite")), INGRESS_SPEC_TLS, - DEFAULT_TLS_ISSUER, + DEFAULT_TLS_ISSUER_TYPE, + "myoverwrite", {"certmanager.k8s.io/cluster-issuer": "myoverwrite"}, ), ( {"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer="myoverwrite")), INGRESS_SPEC_TLS, - DEFAULT_TLS_ISSUER, + DEFAULT_TLS_ISSUER_TYPE, + "myoverwrite", {"certmanager.k8s.io/cluster-issuer": "myoverwrite"}, ), ( {"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS_COLLAPSED_ONLY, + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}, ), @@ -1105,6 +1169,7 @@ def tls(self, request, config): {"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False}, app_spec(ingress_tls=IngressTLSSpec(enabled=False, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1112,6 +1177,7 @@ def tls(self, request, config): {"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS_COLLAPSED_ONLY, + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}, ), @@ -1119,6 +1185,7 @@ def tls(self, request, config): {"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False}, app_spec(ingress_tls=IngressTLSSpec(enabled=False, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1126,6 +1193,7 @@ def tls(self, request, config): {"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False}, app_spec(ingress_tls=IngressTLSSpec(enabled=True, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), @@ -1133,16 +1201,17 @@ def tls(self, request, config): {"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False}, app_spec(ingress_tls=IngressTLSSpec(enabled=False, certificate_issuer=None)), [], + DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, None, ), ], indirect=["tls"], ) - def test_apply_tls(self, tls, app_spec, spec_tls, issuer_type, tls_annotations): + def test_apply_tls(self, tls, app_spec, spec_tls, issuer_type, issuer_name, tls_annotations): ingress = Ingress() ingress.metadata = ObjectMeta(name=app_spec.name) - tls.apply(ingress, app_spec, self.HOSTS, issuer_type) + tls.apply(ingress, app_spec, self.HOSTS, issuer_type, issuer_name) assert ingress.metadata.annotations == tls_annotations assert ingress.spec.tls == spec_tls diff --git a/tests/fiaas_deploy_daemon/deployer/kubernetes/test_networking_v1_ingress.py b/tests/fiaas_deploy_daemon/deployer/kubernetes/test_networking_v1_ingress.py index c4ca54a3..68157da1 100644 --- a/tests/fiaas_deploy_daemon/deployer/kubernetes/test_networking_v1_ingress.py +++ b/tests/fiaas_deploy_daemon/deployer/kubernetes/test_networking_v1_ingress.py @@ -49,7 +49,8 @@ ANNOTATIONS = {"some/annotation": "val"} LABEL_SELECTOR_PARAMS = {"labelSelector": "app=testapp,fiaas/deployment_id,fiaas/deployment_id!=12345"} INGRESSES_URI = "/apis/networking.k8s.io/v1/namespaces/default/ingresses/" -DEFAULT_TLS_ISSUER = "certmanager.k8s.io/cluster-issuer" +DEFAULT_TLS_ISSUER_TYPE = "certmanager.k8s.io/cluster-issuer" +DEFAULT_TLS_ISSUER = "letsencrypt" DEFAULT_TLS_ANNOTATIONS = {"certmanager.k8s.io/cluster-issuer": "letsencrypt"} @@ -447,8 +448,10 @@ def config(self): HostRewriteRule(r"([\w\.\-]+)\.svc.test.example.com=dont-rewrite-suffix-urls.example.com"), HostRewriteRule(r"([\w\.\-]+)\.127.0.0.1.xip.io=dont-rewrite-suffix-urls.example.com"), ] - config.tls_certificate_issuer_type_default = DEFAULT_TLS_ISSUER + config.tls_certificate_issuer_type_default = DEFAULT_TLS_ISSUER_TYPE + config.tls_certificate_issuer = DEFAULT_TLS_ISSUER config.tls_certificate_issuer_type_overrides = {} + config.tls_certificate_issuer_overrides = {} return config @pytest.fixture @@ -604,7 +607,7 @@ def test_applies_ingress_tls_deployer(self, deployer, ingress_tls_deployer, app_ get_or_create.return_value = mock.create_autospec(Ingress, spec_set=True) deployer.deploy(app_spec, LABELS) ingress_tls_deployer.apply.assert_called_once_with( - TypeMatcher(Ingress), app_spec, hosts, DEFAULT_TLS_ISSUER, use_suffixes=True + TypeMatcher(Ingress), app_spec, hosts, DEFAULT_TLS_ISSUER_TYPE, DEFAULT_TLS_ISSUER, use_suffixes=True ) @pytest.fixture