Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve best-cert guessing with empty tls.hosts #2698

Merged
merged 1 commit into from
Jun 25, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions internal/ingress/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1063,7 +1063,7 @@ func extractTLSSecretName(host string, ing *extensions.Ingress,
}
}

// no TLS host matching host name, try each TLS host for matching CN
// no TLS host matching host name, try each TLS host for matching SAN or CN
for _, tls := range ing.Spec.TLS {
key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
cert, err := getLocalSSLCert(key)
Expand All @@ -1072,13 +1072,16 @@ func extractTLSSecretName(host string, ing *extensions.Ingress,
continue
}

if cert == nil {
if cert == nil { // for tests
continue
}

if sets.NewString(cert.CN...).Has(host) {
return tls.SecretName
err = cert.Certificate.VerifyHostname(host)
if err != nil {
continue
}
glog.V(3).Infof("Found SSL certificate matching host %q: %q", host, key)
return tls.SecretName
}

return ""
Expand Down
70 changes: 55 additions & 15 deletions internal/ingress/controller/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ limitations under the License.
package controller

import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"testing"

extensions "k8s.io/api/extensions/v1beta1"
Expand All @@ -25,29 +28,29 @@ import (
)

func TestExtractTLSSecretName(t *testing.T) {
tests := []struct {
testCases := map[string]struct {
host string
ingress *extensions.Ingress
fn func(string) (*ingress.SSLCert, error)
expName string
}{
{
"nil ingress": {
"foo.bar",
nil,
func(string) (*ingress.SSLCert, error) {
return nil, nil
},
"",
},
{
"empty ingress": {
"foo.bar",
&extensions.Ingress{},
func(string) (*ingress.SSLCert, error) {
return nil, nil
},
"",
},
{
"ingress tls, nil secret": {
"foo.bar",
&extensions.Ingress{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -69,7 +72,7 @@ func TestExtractTLSSecretName(t *testing.T) {
},
"",
},
{
"ingress tls, no host, matching cert cn": {
"foo.bar",
&extensions.Ingress{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -88,12 +91,12 @@ func TestExtractTLSSecretName(t *testing.T) {
},
func(string) (*ingress.SSLCert, error) {
return &ingress.SSLCert{
CN: []string{"foo.bar", "example.com"},
Certificate: fakeX509Cert([]string{"foo.bar", "example.com"}),
}, nil
},
"demo",
},
{
"ingress tls, no host, wildcard cert with matching cn": {
"foo.bar",
&extensions.Ingress{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -102,30 +105,67 @@ func TestExtractTLSSecretName(t *testing.T) {
Spec: extensions.IngressSpec{
TLS: []extensions.IngressTLS{
{
Hosts: []string{"foo.bar", "example.com"},
SecretName: "demo",
},
},
Rules: []extensions.IngressRule{
{
Host: "foo.bar",
Host: "test.foo.bar",
},
},
},
},
func(string) (*ingress.SSLCert, error) {
return &ingress.SSLCert{
CN: []string{"foo.bar", "example.com"},
Certificate: fakeX509Cert([]string{"*.foo.bar", "foo.bar"}),
}, nil
},
"demo",
},
"ingress tls, hosts, matching cert cn": {
"foo.bar",
&extensions.Ingress{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
},
Spec: extensions.IngressSpec{
TLS: []extensions.IngressTLS{
{
Hosts: []string{"foo.bar", "example.com"},
SecretName: "demo",
},
},
Rules: []extensions.IngressRule{
{
Host: "foo.bar",
},
},
},
},
func(string) (*ingress.SSLCert, error) {
return nil, nil
},
"demo",
},
}

for _, testCase := range tests {
name := extractTLSSecretName(testCase.host, testCase.ingress, testCase.fn)
if name != testCase.expName {
t.Errorf("expected %v as the name of the secret but got %v", testCase.expName, name)
}
for title, tc := range testCases {
t.Run(title, func(t *testing.T) {
name := extractTLSSecretName(tc.host, tc.ingress, tc.fn)
if name != tc.expName {
t.Errorf("Expected Secret name %q (got %q)", tc.expName, name)
}
})
}
}

var oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}

func fakeX509Cert(dnsNames []string) *x509.Certificate {
return &x509.Certificate{
DNSNames: dnsNames,
Extensions: []pkix.Extension{
{Id: oidExtensionSubjectAltName},
},
}
}