projectcontour · robbiemcmichael · Nov 19, 2018 · Nov 21, 2018 · Jan 13, 2019 · Jan 14, 2019
diff --git a/apis/contour/v1beta1/ingressroute.go b/apis/contour/v1beta1/ingressroute.go
@@ -86,6 +86,8 @@ type Service struct {
 	HealthCheck *HealthCheck `json:"healthCheck,omitempty"`
 	// LB Algorithm to apply (see https://github.com/heptio/contour/blob/master/design/ingressroute-design.md#load-balancing)
 	Strategy string `json:"strategy,omitempty"`
+	// Optional TLS verification of the service using a CA certificate
+	TLSVerification *TLSVerification `json:"tlsVerification,omitempty"`
 }
 
 // Delegate allows for delegating VHosts to other IngressRoutes
@@ -114,6 +116,21 @@ type HealthCheck struct {
 	HealthyThresholdCount uint32 `json:"healthyThresholdCount"`
 }
 
+// TLS verification for the upstream services
+type TLSVerification struct {
+	// Required, the CA to use for TLS verification
+	CA CA `json:"ca"`
+	// If specified, the hostname must be included in the certificate's Subject
+	// Alternative Names field
+	Hostname string `json:"hostname"`
+}
+
+// TLS verification for the upstream services
+type CA struct {
+	// Required, the name of a configmap in the current namespace
+	ConfigMapName string `json:"configMapName"`
+}
+
 // Status reports the current state of the IngressRoute
 type Status struct {
 	CurrentStatus string `json:"currentStatus"`

diff --git a/cmd/contour/contour.go b/cmd/contour/contour.go
@@ -166,6 +166,7 @@ func main() {
 		wl := log.WithField("context", "watch")
 		k8s.WatchServices(&g, client, wl, &reh)
 		k8s.WatchIngress(&g, client, wl, &reh)
+		k8s.WatchConfigMaps(&g, client, wl, &reh)
 		k8s.WatchSecrets(&g, client, wl, &reh)
 		k8s.WatchIngressRoutes(&g, contourClient, wl, &reh)
 

diff --git a/deployment/common/common.yaml b/deployment/common/common.yaml
@@ -147,4 +147,19 @@ spec:
                               type: integer
                             healthyThresholdCount:
                               type: integer
+                        tlsVerification:
+                          type: object
+                          required:
+                            - ca
+                          properties:
+                            ca:
+                              type: object
+                              required:
+                                - configMapName
+                              properties:
+                                configMapName:
+                                  type: string
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
+                            hostnames:
+                              type: string
 ---
diff --git a/deployment/common/rbac.yaml b/deployment/common/rbac.yaml
@@ -19,7 +19,6 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - configmaps
   - endpoints
   - nodes
   - pods
@@ -36,6 +35,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - services
   verbs:
   - get

diff --git a/deployment/render/daemonset-rbac.yaml b/deployment/render/daemonset-rbac.yaml
@@ -150,6 +150,21 @@ spec:
                               type: integer
                             healthyThresholdCount:
                               type: integer
+                        tlsVerification:
+                          type: object
+                          required:
+                            - ca
+                          properties:
+                            ca:
+                              type: object
+                              required:
+                                - configMapName
+                              properties:
+                                configMapName:
+                                  type: string
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
+                            hostnames:
+                              type: string
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@@ -244,7 +259,6 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - configmaps
   - endpoints
   - nodes
   - pods
@@ -261,6 +275,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - services
   verbs:
   - get

diff --git a/deployment/render/deployment-rbac.yaml b/deployment/render/deployment-rbac.yaml
@@ -150,6 +150,21 @@ spec:
                               type: integer
                             healthyThresholdCount:
                               type: integer
+                        tlsVerification:
+                          type: object
+                          required:
+                            - ca
+                          properties:
+                            ca:
+                              type: object
+                              required:
+                                - configMapName
+                              properties:
+                                configMapName:
+                                  type: string
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
+                            hostnames:
+                              type: string
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -261,7 +276,6 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - configmaps
   - endpoints
   - nodes
   - pods
@@ -278,6 +292,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - services
   verbs:
   - get

diff --git a/internal/contour/cluster.go b/internal/contour/cluster.go
@@ -97,13 +97,7 @@ func visitClusters(root dag.Vertex) map[string]*v2.Cluster {
 
 func (v *clusterVisitor) visit(vertex dag.Vertex) {
 	switch service := vertex.(type) {
-	case *dag.HTTPService:
-		name := envoy.Clustername(&service.TCPService)
-		if _, ok := v.clusters[name]; !ok {
-			c := envoy.Cluster(service)
-			v.clusters[c.Name] = c
-		}
-	case *dag.TCPService:
+	case dag.Service:
 		name := envoy.Clustername(service)
 		if _, ok := v.clusters[name]; !ok {
 			c := envoy.Cluster(service)