Copy generated hostnames into TLS spec for HTTPS endpoints probe

knative-extensions · Jan 23, 2022 · afbbaf6 · afbbaf6
1 parent ec3f1a4
commit afbbaf6
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/pkg/reconciler/contour/resources/kingress.go b/pkg/reconciler/contour/resources/kingress.go
@@ -51,14 +51,6 @@ func MakeEndpointProbeIngress(ctx context.Context, ing *v1alpha1.Ingress, previo
 		},
 	}
 
-	hasCert := len(ing.Spec.TLS) > 0 || config.FromContext(ctx).Contour.DefaultTLSSecret != nil
-
-	if ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected && hasCert {
-		// Set the probe to operate over HTTPS IFF we have certificates AND are TLS-required
-		childIng.Spec.HTTPOption = v1alpha1.HTTPOptionRedirected
-		childIng.Spec.TLS = append(childIng.Spec.TLS, ing.Spec.TLS...)
-	}
-
 	sns := ServiceNames(ctx, ing)
 
 	// Reverse engineer our previous state from the prior generation's HTTP Proxy resources.
@@ -112,15 +104,19 @@ func MakeEndpointProbeIngress(ctx context.Context, ing *v1alpha1.Ingress, previo
 	l := order.List()
 	logging.FromContext(ctx).Debugf("Endpoints probe will cover services: %v", l)
 
+	probeHosts := make([]string, 0, len(l))
+
 	for _, name := range l {
 		si := sns[name]
 		if si.HasPath {
 			// TODO(https://github.com/knative-sandbox/net-certmanager/issues/44): Remove this.
 			continue
 		}
 		for _, vis := range si.Visibilities() {
+			host := fmt.Sprintf("%s.gen-%d.%s.%s.net-contour.invalid", name, ing.Generation, ing.Name, ing.Namespace)
+			probeHosts = append(probeHosts, host)
 			childIng.Spec.Rules = append(childIng.Spec.Rules, v1alpha1.IngressRule{
-				Hosts:      []string{fmt.Sprintf("%s.gen-%d.%s.%s.net-contour.invalid", name, ing.Generation, ing.Name, ing.Namespace)},
+				Hosts:      []string{host},
 				Visibility: vis,
 				HTTP: &v1alpha1.HTTPIngressRuleValue{
 					Paths: []v1alpha1.HTTPIngressPath{{
@@ -139,5 +135,16 @@ func MakeEndpointProbeIngress(ctx context.Context, ing *v1alpha1.Ingress, previo
 		}
 	}
 
+	hasCert := len(ing.Spec.TLS) > 0 || config.FromContext(ctx).Contour.DefaultTLSSecret != nil
+
+	if ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected && hasCert {
+		// Set the probe to operate over HTTPS IFF we have certificates AND are TLS-required
+		childIng.Spec.HTTPOption = v1alpha1.HTTPOptionRedirected
+		childIng.Spec.TLS = append(childIng.Spec.TLS, ing.Spec.TLS...)
+		for i := range childIng.Spec.TLS {
+			childIng.Spec.TLS[i].Hosts = probeHosts
+		}
+	}
+
 	return childIng
 }
diff --git a/pkg/reconciler/contour/resources/kingress_test.go b/pkg/reconciler/contour/resources/kingress_test.go
@@ -325,7 +325,7 @@ func TestMakeEndpointProbeIngress(t *testing.T) {
 					},
 				}},
 				TLS: []v1alpha1.IngressTLS{{
-					Hosts:      []string{"example.com"},
+					Hosts:      []string{"goo.gen-0.bar.foo.net-contour.invalid"},
 					SecretName: "example",
 				}},
 			},