Add TLSStores to Kubernetes CRD

This commit is contained in:
Daniel Tomcej 2020-02-24 08:14:06 -08:00 committed by GitHub
parent 101aefbfe8
commit a474e196ea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 1560 additions and 6 deletions

View file

@ -57,6 +57,21 @@ spec:
singular: tlsoption singular: tlsoption
scope: Namespaced scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced
--- ---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition

View file

@ -41,6 +41,21 @@ spec:
singular: tlsoption singular: tlsoption
scope: Namespaced scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced
--- ---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition

View file

@ -890,6 +890,82 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
just as in the [middleware case](../../middlewares/overview.md#provider-namespace). just as in the [middleware case](../../middlewares/overview.md#provider-namespace).
Specifying a namespace attribute in this case would not make any sense, and will be ignored. Specifying a namespace attribute in this case would not make any sense, and will be ignored.
### Kind: `TLSStore`
`TLSStore` is the CRD implementation of a [Traefik "TLS Store"](../../https/tls.md#certificates-stores).
Register the `TLSStore` kind in the Kubernetes cluster before creating `TLSStore` objects
or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`IngressRouteTCP`](#kind-ingressroutetcp) objects.
!!! important "Default TLS Store"
Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores).
This means that if you have two stores that are named default in different kubernetes namespaces,
they may be randomly chosen.
For the time being, please only configure one TLSSTore named default.
!!! info "TLSStore Attributes"
```yaml tab="TLSStore"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: mySecret # [1]
```
| Ref | Attribute | Purpose |
|-----|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `secretName` | The name of the referenced Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the default certificate for the store. |
??? example "Declaring and referencing a TLSStore"
```yaml tab="TLSStore"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: supersecret
```
```yaml tab="IngressRoute"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`bar.com`) && PathPrefix(`/stripit`)
kind: Rule
services:
- name: whoami
port: 80
tls:
store:
name: default
```
```yaml tab="Secret"
apiVersion: v1
kind: Secret
metadata:
name: supersecret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
## Further ## Further
Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt. Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.

View file

@ -57,6 +57,22 @@ spec:
singular: tlsoption singular: tlsoption
scope: Namespaced scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced
--- ---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition

View file

@ -19,3 +19,5 @@ spec:
tls: tls:
options: options:
name: mytlsoption name: mytlsoption
store:
name: mytlsstore

View file

@ -0,0 +1,9 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: mytlsstore
namespace: default
spec:
defaultCertificate:
secretName: tls-cert

View file

@ -16,3 +16,5 @@ spec:
tls: tls:
options: options:
name: mytlsoption name: mytlsoption
store:
name: mytlsstore

View file

@ -51,6 +51,7 @@ type Client interface {
GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error) GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error)
GetTraefikServices() []*v1alpha1.TraefikService GetTraefikServices() []*v1alpha1.TraefikService
GetTLSOptions() []*v1alpha1.TLSOption GetTLSOptions() []*v1alpha1.TLSOption
GetTLSStores() []*v1alpha1.TLSStore
GetService(namespace, name string) (*corev1.Service, bool, error) GetService(namespace, name string) (*corev1.Service, bool, error)
GetSecret(namespace, name string) (*corev1.Secret, bool, error) GetSecret(namespace, name string) (*corev1.Secret, bool, error)
@ -159,6 +160,7 @@ func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<
factoryCrd.Traefik().V1alpha1().Middlewares().Informer().AddEventHandler(eventHandler) factoryCrd.Traefik().V1alpha1().Middlewares().Informer().AddEventHandler(eventHandler)
factoryCrd.Traefik().V1alpha1().IngressRouteTCPs().Informer().AddEventHandler(eventHandler) factoryCrd.Traefik().V1alpha1().IngressRouteTCPs().Informer().AddEventHandler(eventHandler)
factoryCrd.Traefik().V1alpha1().TLSOptions().Informer().AddEventHandler(eventHandler) factoryCrd.Traefik().V1alpha1().TLSOptions().Informer().AddEventHandler(eventHandler)
factoryCrd.Traefik().V1alpha1().TLSStores().Informer().AddEventHandler(eventHandler)
factoryCrd.Traefik().V1alpha1().TraefikServices().Informer().AddEventHandler(eventHandler) factoryCrd.Traefik().V1alpha1().TraefikServices().Informer().AddEventHandler(eventHandler)
factoryKube := informers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, informers.WithNamespace(ns)) factoryKube := informers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, informers.WithNamespace(ns))
@ -284,6 +286,21 @@ func (c *clientWrapper) GetTLSOptions() []*v1alpha1.TLSOption {
return result return result
} }
// GetTLSStores returns all TLS stores.
func (c *clientWrapper) GetTLSStores() []*v1alpha1.TLSStore {
var result []*v1alpha1.TLSStore
for ns, factory := range c.factoriesCrd {
stores, err := factory.Traefik().V1alpha1().TLSStores().Lister().List(c.labelSelector)
if err != nil {
log.Errorf("Failed to list tls stores in namespace %s: %v", ns, err)
}
result = append(result, stores...)
}
return result
}
// GetService returns the named service from the given namespace. // GetService returns the named service from the given namespace.
func (c *clientWrapper) GetService(namespace, name string) (*corev1.Service, bool, error) { func (c *clientWrapper) GetService(namespace, name string) (*corev1.Service, bool, error) {
if !c.isWatchedNamespace(namespace) { if !c.isWatchedNamespace(namespace) {
@ -343,6 +360,8 @@ func (c *clientWrapper) newResourceEventHandler(events chan<- interface{}) cache
return c.labelSelector.Matches(labels.Set(v.GetLabels())) return c.labelSelector.Matches(labels.Set(v.GetLabels()))
case *v1alpha1.TLSOption: case *v1alpha1.TLSOption:
return c.labelSelector.Matches(labels.Set(v.GetLabels())) return c.labelSelector.Matches(labels.Set(v.GetLabels()))
case *v1alpha1.TLSStore:
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
case *v1alpha1.Middleware: case *v1alpha1.Middleware:
return c.labelSelector.Matches(labels.Set(v.GetLabels())) return c.labelSelector.Matches(labels.Set(v.GetLabels()))
default: default:

View file

@ -34,6 +34,7 @@ type clientMock struct {
ingressRouteTCPs []*v1alpha1.IngressRouteTCP ingressRouteTCPs []*v1alpha1.IngressRouteTCP
middlewares []*v1alpha1.Middleware middlewares []*v1alpha1.Middleware
tlsOptions []*v1alpha1.TLSOption tlsOptions []*v1alpha1.TLSOption
tlsStores []*v1alpha1.TLSStore
traefikServices []*v1alpha1.TraefikService traefikServices []*v1alpha1.TraefikService
watchChan chan interface{} watchChan chan interface{}
@ -65,6 +66,8 @@ func newClientMock(paths ...string) clientMock {
c.traefikServices = append(c.traefikServices, o) c.traefikServices = append(c.traefikServices, o)
case *v1alpha1.TLSOption: case *v1alpha1.TLSOption:
c.tlsOptions = append(c.tlsOptions, o) c.tlsOptions = append(c.tlsOptions, o)
case *v1alpha1.TLSStore:
c.tlsStores = append(c.tlsStores, o)
case *corev1.Secret: case *corev1.Secret:
c.secrets = append(c.secrets, o) c.secrets = append(c.secrets, o)
default: default:
@ -106,6 +109,10 @@ func (c clientMock) GetTLSOptions() []*v1alpha1.TLSOption {
return c.tlsOptions return c.tlsOptions
} }
func (c clientMock) GetTLSStores() []*v1alpha1.TLSStore {
return c.tlsStores
}
func (c clientMock) GetTLSOption(namespace, name string) (*v1alpha1.TLSOption, bool, error) { func (c clientMock) GetTLSOption(namespace, name string) (*v1alpha1.TLSOption, bool, error) {
for _, option := range c.tlsOptions { for _, option := range c.tlsOptions {
if option.Namespace == namespace && option.Name == name { if option.Namespace == namespace && option.Name == name {

View file

@ -0,0 +1,40 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: supersecret
---
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: default
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`foo.com`)
services:
- name: whoamitcp
port: 8000
tls:
store:
name: default

View file

@ -0,0 +1,61 @@
apiVersion: v1
kind: Secret
metadata:
name: secretCAdefault1
namespace: foo
data:
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
---
apiVersion: v1
kind: Secret
metadata:
name: secretCAdefault2
namespace: foo
data:
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: foo
spec:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
clientAuth:
secretNames:
- secretCAdefault1
- secretCAdefault2
clientAuthType: VerifyClientCertIfGiven
preferServerCipherSuites: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami
port: 80
tls:
options:
name: foo

View file

@ -0,0 +1,61 @@
apiVersion: v1
kind: Secret
metadata:
name: secretCA1
namespace: default
data:
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
---
apiVersion: v1
kind: Secret
metadata:
name: secretCA2
namespace: default
data:
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
clientAuth:
secretNames:
- secretCA1
- secretCA2
clientAuthType: VerifyClientCertIfGiven
preferServerCipherSuites: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami
port: 80
tls:
options:
name: foo

View file

@ -0,0 +1,43 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: foo
spec:
defaultCertificate:
secretName: supersecret
---
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: foo
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami
port: 80
tls:
store:
name: default

View file

@ -0,0 +1,43 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: supersecret
---
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: default
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
services:
- name: whoami
port: 80
tls:
store:
name: default

View file

@ -0,0 +1,136 @@
/*
The MIT License (MIT)
Copyright (c) 2016-2020 Containous SAS
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeTLSStores implements TLSStoreInterface
type FakeTLSStores struct {
Fake *FakeTraefikV1alpha1
ns string
}
var tlsstoresResource = schema.GroupVersionResource{Group: "traefik.containo.us", Version: "v1alpha1", Resource: "tlsstores"}
var tlsstoresKind = schema.GroupVersionKind{Group: "traefik.containo.us", Version: "v1alpha1", Kind: "TLSStore"}
// Get takes name of the tLSStore, and returns the corresponding tLSStore object, and an error if there is any.
func (c *FakeTLSStores) Get(name string, options v1.GetOptions) (result *v1alpha1.TLSStore, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(tlsstoresResource, c.ns, name), &v1alpha1.TLSStore{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.TLSStore), err
}
// List takes label and field selectors, and returns the list of TLSStores that match those selectors.
func (c *FakeTLSStores) List(opts v1.ListOptions) (result *v1alpha1.TLSStoreList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(tlsstoresResource, tlsstoresKind, c.ns, opts), &v1alpha1.TLSStoreList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.TLSStoreList{ListMeta: obj.(*v1alpha1.TLSStoreList).ListMeta}
for _, item := range obj.(*v1alpha1.TLSStoreList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested tLSStores.
func (c *FakeTLSStores) Watch(opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(tlsstoresResource, c.ns, opts))
}
// Create takes the representation of a tLSStore and creates it. Returns the server's representation of the tLSStore, and an error, if there is any.
func (c *FakeTLSStores) Create(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(tlsstoresResource, c.ns, tLSStore), &v1alpha1.TLSStore{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.TLSStore), err
}
// Update takes the representation of a tLSStore and updates it. Returns the server's representation of the tLSStore, and an error, if there is any.
func (c *FakeTLSStores) Update(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(tlsstoresResource, c.ns, tLSStore), &v1alpha1.TLSStore{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.TLSStore), err
}
// Delete takes name of the tLSStore and deletes it. Returns an error if one occurs.
func (c *FakeTLSStores) Delete(name string, options *v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteAction(tlsstoresResource, c.ns, name), &v1alpha1.TLSStore{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeTLSStores) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(tlsstoresResource, c.ns, listOptions)
_, err := c.Fake.Invokes(action, &v1alpha1.TLSStoreList{})
return err
}
// Patch applies the patch and returns the patched tLSStore.
func (c *FakeTLSStores) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TLSStore, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(tlsstoresResource, c.ns, name, pt, data, subresources...), &v1alpha1.TLSStore{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.TLSStore), err
}

View file

@ -52,6 +52,10 @@ func (c *FakeTraefikV1alpha1) TLSOptions(namespace string) v1alpha1.TLSOptionInt
return &FakeTLSOptions{c, namespace} return &FakeTLSOptions{c, namespace}
} }
func (c *FakeTraefikV1alpha1) TLSStores(namespace string) v1alpha1.TLSStoreInterface {
return &FakeTLSStores{c, namespace}
}
func (c *FakeTraefikV1alpha1) TraefikServices(namespace string) v1alpha1.TraefikServiceInterface { func (c *FakeTraefikV1alpha1) TraefikServices(namespace string) v1alpha1.TraefikServiceInterface {
return &FakeTraefikServices{c, namespace} return &FakeTraefikServices{c, namespace}
} }

View file

@ -34,4 +34,6 @@ type MiddlewareExpansion interface{}
type TLSOptionExpansion interface{} type TLSOptionExpansion interface{}
type TLSStoreExpansion interface{}
type TraefikServiceExpansion interface{} type TraefikServiceExpansion interface{}

View file

@ -0,0 +1,182 @@
/*
The MIT License (MIT)
Copyright (c) 2016-2020 Containous SAS
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"time"
scheme "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// TLSStoresGetter has a method to return a TLSStoreInterface.
// A group's client should implement this interface.
type TLSStoresGetter interface {
TLSStores(namespace string) TLSStoreInterface
}
// TLSStoreInterface has methods to work with TLSStore resources.
type TLSStoreInterface interface {
Create(*v1alpha1.TLSStore) (*v1alpha1.TLSStore, error)
Update(*v1alpha1.TLSStore) (*v1alpha1.TLSStore, error)
Delete(name string, options *v1.DeleteOptions) error
DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
Get(name string, options v1.GetOptions) (*v1alpha1.TLSStore, error)
List(opts v1.ListOptions) (*v1alpha1.TLSStoreList, error)
Watch(opts v1.ListOptions) (watch.Interface, error)
Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TLSStore, err error)
TLSStoreExpansion
}
// tLSStores implements TLSStoreInterface
type tLSStores struct {
client rest.Interface
ns string
}
// newTLSStores returns a TLSStores
func newTLSStores(c *TraefikV1alpha1Client, namespace string) *tLSStores {
return &tLSStores{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the tLSStore, and returns the corresponding tLSStore object, and an error if there is any.
func (c *tLSStores) Get(name string, options v1.GetOptions) (result *v1alpha1.TLSStore, err error) {
result = &v1alpha1.TLSStore{}
err = c.client.Get().
Namespace(c.ns).
Resource("tlsstores").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do().
Into(result)
return
}
// List takes label and field selectors, and returns the list of TLSStores that match those selectors.
func (c *tLSStores) List(opts v1.ListOptions) (result *v1alpha1.TLSStoreList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.TLSStoreList{}
err = c.client.Get().
Namespace(c.ns).
Resource("tlsstores").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do().
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested tLSStores.
func (c *tLSStores) Watch(opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("tlsstores").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch()
}
// Create takes the representation of a tLSStore and creates it. Returns the server's representation of the tLSStore, and an error, if there is any.
func (c *tLSStores) Create(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
result = &v1alpha1.TLSStore{}
err = c.client.Post().
Namespace(c.ns).
Resource("tlsstores").
Body(tLSStore).
Do().
Into(result)
return
}
// Update takes the representation of a tLSStore and updates it. Returns the server's representation of the tLSStore, and an error, if there is any.
func (c *tLSStores) Update(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
result = &v1alpha1.TLSStore{}
err = c.client.Put().
Namespace(c.ns).
Resource("tlsstores").
Name(tLSStore.Name).
Body(tLSStore).
Do().
Into(result)
return
}
// Delete takes name of the tLSStore and deletes it. Returns an error if one occurs.
func (c *tLSStores) Delete(name string, options *v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("tlsstores").
Name(name).
Body(options).
Do().
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *tLSStores) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
var timeout time.Duration
if listOptions.TimeoutSeconds != nil {
timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("tlsstores").
VersionedParams(&listOptions, scheme.ParameterCodec).
Timeout(timeout).
Body(options).
Do().
Error()
}
// Patch applies the patch and returns the patched tLSStore.
func (c *tLSStores) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TLSStore, err error) {
result = &v1alpha1.TLSStore{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("tlsstores").
SubResource(subresources...).
Name(name).
Body(data).
Do().
Into(result)
return
}

View file

@ -38,6 +38,7 @@ type TraefikV1alpha1Interface interface {
IngressRouteTCPsGetter IngressRouteTCPsGetter
MiddlewaresGetter MiddlewaresGetter
TLSOptionsGetter TLSOptionsGetter
TLSStoresGetter
TraefikServicesGetter TraefikServicesGetter
} }
@ -62,6 +63,10 @@ func (c *TraefikV1alpha1Client) TLSOptions(namespace string) TLSOptionInterface
return newTLSOptions(c, namespace) return newTLSOptions(c, namespace)
} }
func (c *TraefikV1alpha1Client) TLSStores(namespace string) TLSStoreInterface {
return newTLSStores(c, namespace)
}
func (c *TraefikV1alpha1Client) TraefikServices(namespace string) TraefikServiceInterface { func (c *TraefikV1alpha1Client) TraefikServices(namespace string) TraefikServiceInterface {
return newTraefikServices(c, namespace) return newTraefikServices(c, namespace)
} }

View file

@ -69,6 +69,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().Middlewares().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().Middlewares().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("tlsoptions"): case v1alpha1.SchemeGroupVersion.WithResource("tlsoptions"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TLSOptions().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TLSOptions().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("tlsstores"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TLSStores().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("traefikservices"): case v1alpha1.SchemeGroupVersion.WithResource("traefikservices"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TraefikServices().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TraefikServices().Informer()}, nil

View file

@ -40,6 +40,8 @@ type Interface interface {
Middlewares() MiddlewareInformer Middlewares() MiddlewareInformer
// TLSOptions returns a TLSOptionInformer. // TLSOptions returns a TLSOptionInformer.
TLSOptions() TLSOptionInformer TLSOptions() TLSOptionInformer
// TLSStores returns a TLSStoreInformer.
TLSStores() TLSStoreInformer
// TraefikServices returns a TraefikServiceInformer. // TraefikServices returns a TraefikServiceInformer.
TraefikServices() TraefikServiceInformer TraefikServices() TraefikServiceInformer
} }
@ -75,6 +77,11 @@ func (v *version) TLSOptions() TLSOptionInformer {
return &tLSOptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} return &tLSOptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
} }
// TLSStores returns a TLSStoreInformer.
func (v *version) TLSStores() TLSStoreInformer {
return &tLSStoreInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// TraefikServices returns a TraefikServiceInformer. // TraefikServices returns a TraefikServiceInformer.
func (v *version) TraefikServices() TraefikServiceInformer { func (v *version) TraefikServices() TraefikServiceInformer {
return &traefikServiceInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} return &traefikServiceInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

View file

@ -0,0 +1,97 @@
/*
The MIT License (MIT)
Copyright (c) 2016-2020 Containous SAS
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
time "time"
versioned "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned"
internalinterfaces "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions/internalinterfaces"
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1"
traefikv1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// TLSStoreInformer provides access to a shared informer and lister for
// TLSStores.
type TLSStoreInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.TLSStoreLister
}
type tLSStoreInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewTLSStoreInformer constructs a new informer for TLSStore type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewTLSStoreInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredTLSStoreInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredTLSStoreInformer constructs a new informer for TLSStore type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredTLSStoreInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.TraefikV1alpha1().TLSStores(namespace).List(options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.TraefikV1alpha1().TLSStores(namespace).Watch(options)
},
},
&traefikv1alpha1.TLSStore{},
resyncPeriod,
indexers,
)
}
func (f *tLSStoreInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredTLSStoreInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *tLSStoreInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&traefikv1alpha1.TLSStore{}, f.defaultInformer)
}
func (f *tLSStoreInformer) Lister() v1alpha1.TLSStoreLister {
return v1alpha1.NewTLSStoreLister(f.Informer().GetIndexer())
}

View file

@ -58,6 +58,14 @@ type TLSOptionListerExpansion interface{}
// TLSOptionNamespaceLister. // TLSOptionNamespaceLister.
type TLSOptionNamespaceListerExpansion interface{} type TLSOptionNamespaceListerExpansion interface{}
// TLSStoreListerExpansion allows custom methods to be added to
// TLSStoreLister.
type TLSStoreListerExpansion interface{}
// TLSStoreNamespaceListerExpansion allows custom methods to be added to
// TLSStoreNamespaceLister.
type TLSStoreNamespaceListerExpansion interface{}
// TraefikServiceListerExpansion allows custom methods to be added to // TraefikServiceListerExpansion allows custom methods to be added to
// TraefikServiceLister. // TraefikServiceLister.
type TraefikServiceListerExpansion interface{} type TraefikServiceListerExpansion interface{}

View file

@ -0,0 +1,102 @@
/*
The MIT License (MIT)
Copyright (c) 2016-2020 Containous SAS
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// TLSStoreLister helps list TLSStores.
type TLSStoreLister interface {
// List lists all TLSStores in the indexer.
List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error)
// TLSStores returns an object that can list and get TLSStores.
TLSStores(namespace string) TLSStoreNamespaceLister
TLSStoreListerExpansion
}
// tLSStoreLister implements the TLSStoreLister interface.
type tLSStoreLister struct {
indexer cache.Indexer
}
// NewTLSStoreLister returns a new TLSStoreLister.
func NewTLSStoreLister(indexer cache.Indexer) TLSStoreLister {
return &tLSStoreLister{indexer: indexer}
}
// List lists all TLSStores in the indexer.
func (s *tLSStoreLister) List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.TLSStore))
})
return ret, err
}
// TLSStores returns an object that can list and get TLSStores.
func (s *tLSStoreLister) TLSStores(namespace string) TLSStoreNamespaceLister {
return tLSStoreNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// TLSStoreNamespaceLister helps list and get TLSStores.
type TLSStoreNamespaceLister interface {
// List lists all TLSStores in the indexer for a given namespace.
List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error)
// Get retrieves the TLSStore from the indexer for a given namespace and name.
Get(name string) (*v1alpha1.TLSStore, error)
TLSStoreNamespaceListerExpansion
}
// tLSStoreNamespaceLister implements the TLSStoreNamespaceLister
// interface.
type tLSStoreNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all TLSStores in the indexer for a given namespace.
func (s tLSStoreNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.TLSStore))
})
return ret, err
}
// Get retrieves the TLSStore from the indexer for a given namespace and name.
func (s tLSStoreNamespaceLister) Get(name string) (*v1alpha1.TLSStore, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("tlsstore"), name)
}
return obj.(*v1alpha1.TLSStore), nil
}

View file

@ -171,6 +171,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
TLS: &dynamic.TLSConfiguration{ TLS: &dynamic.TLSConfiguration{
Certificates: getTLSConfig(tlsConfigs), Certificates: getTLSConfig(tlsConfigs),
Options: buildTLSOptions(ctx, client), Options: buildTLSOptions(ctx, client),
Stores: buildTLSStores(ctx, client),
}, },
} }
@ -466,6 +467,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
return tlsOptions return tlsOptions
} }
tlsOptions = make(map[string]tls.Options) tlsOptions = make(map[string]tls.Options)
var nsDefault []string
for _, tlsOption := range tlsOptionsCRD { for _, tlsOption := range tlsOptionsCRD {
logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace))) logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
@ -492,7 +494,13 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
clientCAs = append(clientCAs, tls.FileOrContent(cert)) clientCAs = append(clientCAs, tls.FileOrContent(cert))
} }
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{ id := makeID(tlsOption.Namespace, tlsOption.Name)
// If the name is default, we override the default config.
if tlsOption.Name == "default" {
id = tlsOption.Name
nsDefault = append(nsDefault, tlsOption.Namespace)
}
tlsOptions[id] = tls.Options{
MinVersion: tlsOption.Spec.MinVersion, MinVersion: tlsOption.Spec.MinVersion,
MaxVersion: tlsOption.Spec.MaxVersion, MaxVersion: tlsOption.Spec.MaxVersion,
CipherSuites: tlsOption.Spec.CipherSuites, CipherSuites: tlsOption.Spec.CipherSuites,
@ -505,9 +513,68 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites, PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
} }
} }
if len(nsDefault) > 1 {
delete(tlsOptions, "default")
log.FromContext(ctx).Errorf("Default TLS Options defined in multiple namespaces: %v", nsDefault)
}
return tlsOptions return tlsOptions
} }
func buildTLSStores(ctx context.Context, client Client) map[string]tls.Store {
tlsStoreCRD := client.GetTLSStores()
var tlsStores map[string]tls.Store
if len(tlsStoreCRD) == 0 {
return tlsStores
}
tlsStores = make(map[string]tls.Store)
var nsDefault []string
for _, tlsStore := range tlsStoreCRD {
namespace := tlsStore.Namespace
secretName := tlsStore.Spec.DefaultCertificate.SecretName
logger := log.FromContext(log.With(ctx, log.Str("tlsStore", tlsStore.Name), log.Str("namespace", namespace), log.Str("secretName", secretName)))
secret, exists, err := client.GetSecret(namespace, secretName)
if err != nil {
logger.Errorf("Failed to fetch secret %s/%s: %v", namespace, secretName, err)
continue
}
if !exists {
logger.Errorf("Secret %s/%s does not exist", namespace, secretName)
continue
}
cert, key, err := getCertificateBlocks(secret, namespace, secretName)
if err != nil {
logger.Errorf("Could not get certificate blocks: %v", err)
continue
}
id := makeID(tlsStore.Namespace, tlsStore.Name)
// If the name is default, we override the default config.
if tlsStore.Name == "default" {
id = tlsStore.Name
nsDefault = append(nsDefault, tlsStore.Namespace)
}
tlsStores[id] = tls.Store{
DefaultCertificate: &tls.Certificate{
CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key),
},
}
}
if len(nsDefault) > 1 {
delete(tlsStores, "default")
log.FromContext(ctx).Errorf("Default TLS Stores defined in multiple namespaces: %v", nsDefault)
}
return tlsStores
}
func checkStringQuoteValidity(value string) error { func checkStringQuoteValidity(value string) error {
_, err := strconv.Unquote(`"` + value + `"`) _, err := strconv.Unquote(`"` + value + `"`)
return err return err

View file

@ -746,6 +746,53 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
}, },
}, },
}, },
{
desc: "TLS with tls Store",
paths: []string{"tcp/services.yml", "tcp/with_tls_store.yml"},
expected: &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{
"default": {
DefaultCertificate: &tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
},
},
},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Rule: "HostSNI(`foo.com`)",
TLS: &dynamic.RouterTCPTLSConfig{},
},
},
Services: map[string]*dynamic.TCPService{
"default-test.route-fdd3e9338e47a45efefc": {
LoadBalancer: &dynamic.TCPServersLoadBalancer{
Servers: []dynamic.TCPServer{
{
Address: "10.10.0.1:8000",
Port: "",
},
{
Address: "10.10.0.2:8000",
Port: "",
},
},
},
},
},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
},
},
},
} }
for _, test := range testCases { for _, test := range testCases {
@ -1937,6 +1984,107 @@ func TestLoadIngressRoutes(t *testing.T) {
}, },
}, },
}, },
{
desc: "TLS with two default tls options",
paths: []string{"services.yml", "with_default_tls_options.yml", "with_default_tls_options_default_namespace.yml"},
expected: &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"default-test-route-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default-test-route-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &dynamic.RouterTLSConfig{
Options: "default-foo",
},
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
{
desc: "TLS with default tls options",
paths: []string{"services.yml", "with_default_tls_options.yml"},
expected: &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
MinVersion: "VersionTLS12",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
},
ClientAuth: tls.ClientAuth{
CAFiles: []tls.FileOrContent{
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
},
ClientAuthType: "VerifyClientCertIfGiven",
},
SniStrict: true,
PreferServerCipherSuites: true,
},
},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"default-test-route-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default-test-route-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &dynamic.RouterTLSConfig{
Options: "default-foo",
},
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
{ {
desc: "TLS with tls options and specific namespace", desc: "TLS with tls options and specific namespace",
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"}, paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
@ -2369,6 +2517,93 @@ func TestLoadIngressRoutes(t *testing.T) {
TLS: &dynamic.TLSConfiguration{}, TLS: &dynamic.TLSConfiguration{},
}, },
}, },
{
desc: "TLS with tls store",
paths: []string{"services.yml", "with_tls_store.yml"},
expected: &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{
"default": {
DefaultCertificate: &tls.Certificate{
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
},
},
},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"default-test-route-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default-test-route-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &dynamic.RouterTLSConfig{},
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
{
desc: "TLS with tls store default two times",
paths: []string{"services.yml", "with_tls_store.yml", "with_default_tls_store.yml"},
expected: &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{},
},
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"default-test-route-6b204d94623b3df4370c": {
EntryPoints: []string{"web"},
Service: "default-test-route-6b204d94623b3df4370c",
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
Priority: 12,
TLS: &dynamic.RouterTLSConfig{},
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"default-test-route-6b204d94623b3df4370c": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "http://10.10.0.1:80",
},
{
URL: "http://10.10.0.2:80",
},
},
PassHostHeader: Bool(true),
},
},
},
},
},
},
{ {
desc: "port selected by name (TODO)", desc: "port selected by name (TODO)",
}, },

View file

@ -39,6 +39,8 @@ type TLS struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. // Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
Options *TLSOptionRef `json:"options,omitempty"` Options *TLSOptionRef `json:"options,omitempty"`
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
Store *TLSStoreRef `json:"store,omitempty"`
CertResolver string `json:"certResolver,omitempty"` CertResolver string `json:"certResolver,omitempty"`
Domains []types.Domain `json:"domains,omitempty"` Domains []types.Domain `json:"domains,omitempty"`
} }
@ -49,6 +51,12 @@ type TLSOptionRef struct {
Namespace string `json:"namespace"` Namespace string `json:"namespace"`
} }
// TLSStoreRef is a ref to the TLSStore resource.
type TLSStoreRef struct {
Name string `json:"name"`
Namespace string `json:"namespace"`
}
// LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers), // LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers),
// or a TraefikService object (a traefik load-balancer of services). // or a TraefikService object (a traefik load-balancer of services).
type LoadBalancerSpec struct { type LoadBalancerSpec struct {

View file

@ -33,6 +33,8 @@ type TLSTCP struct {
Passthrough bool `json:"passthrough"` Passthrough bool `json:"passthrough"`
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection. // Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
Options *TLSOptionTCPRef `json:"options"` Options *TLSOptionTCPRef `json:"options"`
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
Store *TLSStoreTCPRef `json:"store"`
CertResolver string `json:"certResolver"` CertResolver string `json:"certResolver"`
Domains []types.Domain `json:"domains,omitempty"` Domains []types.Domain `json:"domains,omitempty"`
} }
@ -43,6 +45,12 @@ type TLSOptionTCPRef struct {
Namespace string `json:"namespace"` Namespace string `json:"namespace"`
} }
// TLSStoreTCPRef is a ref to the TLSStore resources.
type TLSStoreTCPRef struct {
Name string `json:"name"`
Namespace string `json:"namespace"`
}
// ServiceTCP defines an upstream to proxy traffic. // ServiceTCP defines an upstream to proxy traffic.
type ServiceTCP struct { type ServiceTCP struct {
Name string `json:"name"` Name string `json:"name"`

View file

@ -41,6 +41,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&MiddlewareList{}, &MiddlewareList{},
&TLSOption{}, &TLSOption{},
&TLSOptionList{}, &TLSOptionList{},
&TLSStore{},
&TLSStoreList{},
&TraefikService{}, &TraefikService{},
&TraefikServiceList{}, &TraefikServiceList{},
) )

View file

@ -0,0 +1,42 @@
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// TLSStore is a specification for a TLSStore resource.
type TLSStore struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata"`
Spec TLSStoreSpec `json:"spec"`
}
// +k8s:deepcopy-gen=true
// TLSStoreSpec configures a TLSStore resource.
type TLSStoreSpec struct {
DefaultCertificate DefaultCertificate `json:"defaultCertificate"`
}
// +k8s:deepcopy-gen=true
// DefaultCertificate holds a secret name for the TLSOption resource.
type DefaultCertificate struct {
// SecretName is the name of the referenced Kubernetes Secret to specify the
// certificate details.
SecretName string `json:"secretName,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// TLSStoreList is a list of TLSStore resources.
type TLSStoreList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []TLSStore `json:"items"`
}

View file

@ -108,6 +108,22 @@ func (in *ClientTLS) DeepCopy() *ClientTLS {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DefaultCertificate) DeepCopyInto(out *DefaultCertificate) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultCertificate.
func (in *DefaultCertificate) DeepCopy() *DefaultCertificate {
if in == nil {
return nil
}
out := new(DefaultCertificate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DigestAuth) DeepCopyInto(out *DigestAuth) { func (in *DigestAuth) DeepCopyInto(out *DigestAuth) {
*out = *in *out = *in
@ -793,6 +809,11 @@ func (in *TLS) DeepCopyInto(out *TLS) {
*out = new(TLSOptionRef) *out = new(TLSOptionRef)
**out = **in **out = **in
} }
if in.Store != nil {
in, out := &in.Store, &out.Store
*out = new(TLSStoreRef)
**out = **in
}
if in.Domains != nil { if in.Domains != nil {
in, out := &in.Domains, &out.Domains in, out := &in.Domains, &out.Domains
*out = make([]types.Domain, len(*in)) *out = make([]types.Domain, len(*in))
@ -932,6 +953,115 @@ func (in *TLSOptionTCPRef) DeepCopy() *TLSOptionTCPRef {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSStore) DeepCopyInto(out *TLSStore) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStore.
func (in *TLSStore) DeepCopy() *TLSStore {
if in == nil {
return nil
}
out := new(TLSStore)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *TLSStore) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSStoreList) DeepCopyInto(out *TLSStoreList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]TLSStore, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreList.
func (in *TLSStoreList) DeepCopy() *TLSStoreList {
if in == nil {
return nil
}
out := new(TLSStoreList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *TLSStoreList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSStoreRef) DeepCopyInto(out *TLSStoreRef) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreRef.
func (in *TLSStoreRef) DeepCopy() *TLSStoreRef {
if in == nil {
return nil
}
out := new(TLSStoreRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSStoreSpec) DeepCopyInto(out *TLSStoreSpec) {
*out = *in
out.DefaultCertificate = in.DefaultCertificate
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreSpec.
func (in *TLSStoreSpec) DeepCopy() *TLSStoreSpec {
if in == nil {
return nil
}
out := new(TLSStoreSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSStoreTCPRef) DeepCopyInto(out *TLSStoreTCPRef) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreTCPRef.
func (in *TLSStoreTCPRef) DeepCopy() *TLSStoreTCPRef {
if in == nil {
return nil
}
out := new(TLSStoreTCPRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSTCP) DeepCopyInto(out *TLSTCP) { func (in *TLSTCP) DeepCopyInto(out *TLSTCP) {
*out = *in *out = *in
@ -940,6 +1070,11 @@ func (in *TLSTCP) DeepCopyInto(out *TLSTCP) {
*out = new(TLSOptionTCPRef) *out = new(TLSOptionTCPRef)
**out = **in **out = **in
} }
if in.Store != nil {
in, out := &in.Store, &out.Store
*out = new(TLSStoreTCPRef)
**out = **in
}
if in.Domains != nil { if in.Domains != nil {
in, out := &in.Domains, &out.Domains in, out := &in.Domains, &out.Domains
*out = make([]types.Domain, len(*in)) *out = make([]types.Domain, len(*in))

View file

@ -12,7 +12,7 @@ import (
// MustParseYaml parses a YAML to objects. // MustParseYaml parses a YAML to objects.
func MustParseYaml(content []byte) []runtime.Object { func MustParseYaml(content []byte) []runtime.Object {
acceptedK8sTypes := regexp.MustCompile(`^(Deployment|Endpoints|Service|Ingress|IngressRoute|IngressRouteTCP|Middleware|Secret|TLSOption|TraefikService)$`) acceptedK8sTypes := regexp.MustCompile(`^(Deployment|Endpoints|Service|Ingress|IngressRoute|IngressRouteTCP|Middleware|Secret|TLSOption|TLSStore|TraefikService)$`)
files := strings.Split(string(content), "---") files := strings.Split(string(content), "---")
retVal := make([]runtime.Object, 0, len(files)) retVal := make([]runtime.Object, 0, len(files))

View file

@ -29,6 +29,7 @@ func mergeConfiguration(configurations dynamic.Configurations) dynamic.Configura
} }
var defaultTLSOptionProviders []string var defaultTLSOptionProviders []string
var defaultTLSStoreProviders []string
for pvd, configuration := range configurations { for pvd, configuration := range configurations {
if configuration.HTTP != nil { if configuration.HTTP != nil {
for routerName, router := range configuration.HTTP.Routers { for routerName, router := range configuration.HTTP.Routers {
@ -64,6 +65,11 @@ func mergeConfiguration(configurations dynamic.Configurations) dynamic.Configura
conf.TLS.Certificates = append(conf.TLS.Certificates, configuration.TLS.Certificates...) conf.TLS.Certificates = append(conf.TLS.Certificates, configuration.TLS.Certificates...)
for key, store := range configuration.TLS.Stores { for key, store := range configuration.TLS.Stores {
if key != "default" {
key = provider.MakeQualifiedName(pvd, key)
} else {
defaultTLSStoreProviders = append(defaultTLSStoreProviders, pvd)
}
conf.TLS.Stores[key] = store conf.TLS.Stores[key] = store
} }
@ -79,6 +85,11 @@ func mergeConfiguration(configurations dynamic.Configurations) dynamic.Configura
} }
} }
if len(defaultTLSStoreProviders) > 1 {
log.WithoutContext().Errorf("Default TLS Stores defined multiple times in %v", defaultTLSOptionProviders)
delete(conf.TLS.Stores, "default")
}
if len(defaultTLSOptionProviders) == 0 { if len(defaultTLSOptionProviders) == 0 {
conf.TLS.Options["default"] = tls.DefaultTLSOptions conf.TLS.Options["default"] = tls.DefaultTLSOptions
} else if len(defaultTLSOptionProviders) > 1 { } else if len(defaultTLSOptionProviders) > 1 {

View file

@ -294,3 +294,95 @@ func TestAggregator_tlsoptions(t *testing.T) {
}) })
} }
} }
func TestAggregator_tlsStore(t *testing.T) {
testCases := []struct {
desc string
given dynamic.Configurations
expected map[string]tls.Store
}{
{
desc: "Create a valid default tls store when appears only in one provider",
given: dynamic.Configurations{
"provider-1": &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{
"default": {
DefaultCertificate: &tls.Certificate{
CertFile: "foo",
KeyFile: "bar",
},
},
},
},
},
"provider-2": &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{
"foo": {
DefaultCertificate: &tls.Certificate{
CertFile: "foo",
KeyFile: "bar",
},
},
},
},
},
},
expected: map[string]tls.Store{
"default": {
DefaultCertificate: &tls.Certificate{
CertFile: "foo",
KeyFile: "bar",
},
},
"foo@provider-2": {
DefaultCertificate: &tls.Certificate{
CertFile: "foo",
KeyFile: "bar",
},
},
},
},
{
desc: "Don't default tls store when appears two times",
given: dynamic.Configurations{
"provider-1": &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{
"default": {
DefaultCertificate: &tls.Certificate{
CertFile: "foo",
KeyFile: "bar",
},
},
},
},
},
"provider-2": &dynamic.Configuration{
TLS: &dynamic.TLSConfiguration{
Stores: map[string]tls.Store{
"default": {
DefaultCertificate: &tls.Certificate{
CertFile: "foo",
KeyFile: "bar",
},
},
},
},
},
},
expected: map[string]tls.Store{},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
actual := mergeConfiguration(test.given)
assert.Equal(t, test.expected, actual.TLS.Stores)
})
}
}