Add TLSStores to Kubernetes CRD
This commit is contained in:
parent
101aefbfe8
commit
a474e196ea
34 changed files with 1560 additions and 6 deletions
|
@ -57,6 +57,21 @@ spec:
|
||||||
singular: tlsoption
|
singular: tlsoption
|
||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: tlsstores.traefik.containo.us
|
||||||
|
|
||||||
|
spec:
|
||||||
|
group: traefik.containo.us
|
||||||
|
version: v1alpha1
|
||||||
|
names:
|
||||||
|
kind: TLSStore
|
||||||
|
plural: tlsstores
|
||||||
|
singular: tlsstore
|
||||||
|
scope: Namespaced
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: apiextensions.k8s.io/v1beta1
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
|
|
|
@ -41,6 +41,21 @@ spec:
|
||||||
singular: tlsoption
|
singular: tlsoption
|
||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: tlsstores.traefik.containo.us
|
||||||
|
|
||||||
|
spec:
|
||||||
|
group: traefik.containo.us
|
||||||
|
version: v1alpha1
|
||||||
|
names:
|
||||||
|
kind: TLSStore
|
||||||
|
plural: tlsstores
|
||||||
|
singular: tlsstore
|
||||||
|
scope: Namespaced
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: apiextensions.k8s.io/v1beta1
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
|
|
|
@ -890,6 +890,82 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
|
||||||
just as in the [middleware case](../../middlewares/overview.md#provider-namespace).
|
just as in the [middleware case](../../middlewares/overview.md#provider-namespace).
|
||||||
Specifying a namespace attribute in this case would not make any sense, and will be ignored.
|
Specifying a namespace attribute in this case would not make any sense, and will be ignored.
|
||||||
|
|
||||||
|
### Kind: `TLSStore`
|
||||||
|
|
||||||
|
`TLSStore` is the CRD implementation of a [Traefik "TLS Store"](../../https/tls.md#certificates-stores).
|
||||||
|
|
||||||
|
Register the `TLSStore` kind in the Kubernetes cluster before creating `TLSStore` objects
|
||||||
|
or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`IngressRouteTCP`](#kind-ingressroutetcp) objects.
|
||||||
|
|
||||||
|
!!! important "Default TLS Store"
|
||||||
|
|
||||||
|
Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores).
|
||||||
|
This means that if you have two stores that are named default in different kubernetes namespaces,
|
||||||
|
they may be randomly chosen.
|
||||||
|
For the time being, please only configure one TLSSTore named default.
|
||||||
|
|
||||||
|
!!! info "TLSStore Attributes"
|
||||||
|
|
||||||
|
```yaml tab="TLSStore"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSStore
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
defaultCertificate:
|
||||||
|
secretName: mySecret # [1]
|
||||||
|
```
|
||||||
|
|
||||||
|
| Ref | Attribute | Purpose |
|
||||||
|
|-----|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
|
| [1] | `secretName` | The name of the referenced Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the default certificate for the store. |
|
||||||
|
|
||||||
|
??? example "Declaring and referencing a TLSStore"
|
||||||
|
|
||||||
|
```yaml tab="TLSStore"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSStore
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
defaultCertificate:
|
||||||
|
secretName: supersecret
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="IngressRoute"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: ingressroutebar
|
||||||
|
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
routes:
|
||||||
|
- match: Host(`bar.com`) && PathPrefix(`/stripit`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
tls:
|
||||||
|
store:
|
||||||
|
name: default
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Secret"
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: supersecret
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||||
|
```
|
||||||
## Further
|
## Further
|
||||||
|
|
||||||
Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.
|
Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.
|
||||||
|
|
|
@ -57,6 +57,22 @@ spec:
|
||||||
singular: tlsoption
|
singular: tlsoption
|
||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: tlsstores.traefik.containo.us
|
||||||
|
|
||||||
|
spec:
|
||||||
|
group: traefik.containo.us
|
||||||
|
version: v1alpha1
|
||||||
|
names:
|
||||||
|
kind: TLSStore
|
||||||
|
plural: tlsstores
|
||||||
|
singular: tlsstore
|
||||||
|
scope: Namespaced
|
||||||
|
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: apiextensions.k8s.io/v1beta1
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
|
|
|
@ -19,3 +19,5 @@ spec:
|
||||||
tls:
|
tls:
|
||||||
options:
|
options:
|
||||||
name: mytlsoption
|
name: mytlsoption
|
||||||
|
store:
|
||||||
|
name: mytlsstore
|
||||||
|
|
9
integration/fixtures/k8s/03-tlsstore.yml
Normal file
9
integration/fixtures/k8s/03-tlsstore.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSStore
|
||||||
|
metadata:
|
||||||
|
name: mytlsstore
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
defaultCertificate:
|
||||||
|
secretName: tls-cert
|
|
@ -16,3 +16,5 @@ spec:
|
||||||
tls:
|
tls:
|
||||||
options:
|
options:
|
||||||
name: mytlsoption
|
name: mytlsoption
|
||||||
|
store:
|
||||||
|
name: mytlsstore
|
||||||
|
|
|
@ -51,6 +51,7 @@ type Client interface {
|
||||||
GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error)
|
GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error)
|
||||||
GetTraefikServices() []*v1alpha1.TraefikService
|
GetTraefikServices() []*v1alpha1.TraefikService
|
||||||
GetTLSOptions() []*v1alpha1.TLSOption
|
GetTLSOptions() []*v1alpha1.TLSOption
|
||||||
|
GetTLSStores() []*v1alpha1.TLSStore
|
||||||
|
|
||||||
GetService(namespace, name string) (*corev1.Service, bool, error)
|
GetService(namespace, name string) (*corev1.Service, bool, error)
|
||||||
GetSecret(namespace, name string) (*corev1.Secret, bool, error)
|
GetSecret(namespace, name string) (*corev1.Secret, bool, error)
|
||||||
|
@ -159,6 +160,7 @@ func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<
|
||||||
factoryCrd.Traefik().V1alpha1().Middlewares().Informer().AddEventHandler(eventHandler)
|
factoryCrd.Traefik().V1alpha1().Middlewares().Informer().AddEventHandler(eventHandler)
|
||||||
factoryCrd.Traefik().V1alpha1().IngressRouteTCPs().Informer().AddEventHandler(eventHandler)
|
factoryCrd.Traefik().V1alpha1().IngressRouteTCPs().Informer().AddEventHandler(eventHandler)
|
||||||
factoryCrd.Traefik().V1alpha1().TLSOptions().Informer().AddEventHandler(eventHandler)
|
factoryCrd.Traefik().V1alpha1().TLSOptions().Informer().AddEventHandler(eventHandler)
|
||||||
|
factoryCrd.Traefik().V1alpha1().TLSStores().Informer().AddEventHandler(eventHandler)
|
||||||
factoryCrd.Traefik().V1alpha1().TraefikServices().Informer().AddEventHandler(eventHandler)
|
factoryCrd.Traefik().V1alpha1().TraefikServices().Informer().AddEventHandler(eventHandler)
|
||||||
|
|
||||||
factoryKube := informers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, informers.WithNamespace(ns))
|
factoryKube := informers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, informers.WithNamespace(ns))
|
||||||
|
@ -284,6 +286,21 @@ func (c *clientWrapper) GetTLSOptions() []*v1alpha1.TLSOption {
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetTLSStores returns all TLS stores.
|
||||||
|
func (c *clientWrapper) GetTLSStores() []*v1alpha1.TLSStore {
|
||||||
|
var result []*v1alpha1.TLSStore
|
||||||
|
|
||||||
|
for ns, factory := range c.factoriesCrd {
|
||||||
|
stores, err := factory.Traefik().V1alpha1().TLSStores().Lister().List(c.labelSelector)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Failed to list tls stores in namespace %s: %v", ns, err)
|
||||||
|
}
|
||||||
|
result = append(result, stores...)
|
||||||
|
}
|
||||||
|
|
||||||
|
return result
|
||||||
|
}
|
||||||
|
|
||||||
// GetService returns the named service from the given namespace.
|
// GetService returns the named service from the given namespace.
|
||||||
func (c *clientWrapper) GetService(namespace, name string) (*corev1.Service, bool, error) {
|
func (c *clientWrapper) GetService(namespace, name string) (*corev1.Service, bool, error) {
|
||||||
if !c.isWatchedNamespace(namespace) {
|
if !c.isWatchedNamespace(namespace) {
|
||||||
|
@ -343,6 +360,8 @@ func (c *clientWrapper) newResourceEventHandler(events chan<- interface{}) cache
|
||||||
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
||||||
case *v1alpha1.TLSOption:
|
case *v1alpha1.TLSOption:
|
||||||
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
||||||
|
case *v1alpha1.TLSStore:
|
||||||
|
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
||||||
case *v1alpha1.Middleware:
|
case *v1alpha1.Middleware:
|
||||||
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
return c.labelSelector.Matches(labels.Set(v.GetLabels()))
|
||||||
default:
|
default:
|
||||||
|
|
|
@ -34,6 +34,7 @@ type clientMock struct {
|
||||||
ingressRouteTCPs []*v1alpha1.IngressRouteTCP
|
ingressRouteTCPs []*v1alpha1.IngressRouteTCP
|
||||||
middlewares []*v1alpha1.Middleware
|
middlewares []*v1alpha1.Middleware
|
||||||
tlsOptions []*v1alpha1.TLSOption
|
tlsOptions []*v1alpha1.TLSOption
|
||||||
|
tlsStores []*v1alpha1.TLSStore
|
||||||
traefikServices []*v1alpha1.TraefikService
|
traefikServices []*v1alpha1.TraefikService
|
||||||
|
|
||||||
watchChan chan interface{}
|
watchChan chan interface{}
|
||||||
|
@ -65,6 +66,8 @@ func newClientMock(paths ...string) clientMock {
|
||||||
c.traefikServices = append(c.traefikServices, o)
|
c.traefikServices = append(c.traefikServices, o)
|
||||||
case *v1alpha1.TLSOption:
|
case *v1alpha1.TLSOption:
|
||||||
c.tlsOptions = append(c.tlsOptions, o)
|
c.tlsOptions = append(c.tlsOptions, o)
|
||||||
|
case *v1alpha1.TLSStore:
|
||||||
|
c.tlsStores = append(c.tlsStores, o)
|
||||||
case *corev1.Secret:
|
case *corev1.Secret:
|
||||||
c.secrets = append(c.secrets, o)
|
c.secrets = append(c.secrets, o)
|
||||||
default:
|
default:
|
||||||
|
@ -106,6 +109,10 @@ func (c clientMock) GetTLSOptions() []*v1alpha1.TLSOption {
|
||||||
return c.tlsOptions
|
return c.tlsOptions
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c clientMock) GetTLSStores() []*v1alpha1.TLSStore {
|
||||||
|
return c.tlsStores
|
||||||
|
}
|
||||||
|
|
||||||
func (c clientMock) GetTLSOption(namespace, name string) (*v1alpha1.TLSOption, bool, error) {
|
func (c clientMock) GetTLSOption(namespace, name string) (*v1alpha1.TLSOption, bool, error) {
|
||||||
for _, option := range c.tlsOptions {
|
for _, option := range c.tlsOptions {
|
||||||
if option.Namespace == namespace && option.Name == name {
|
if option.Namespace == namespace && option.Name == name {
|
||||||
|
|
40
pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_store.yml
Normal file
40
pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_store.yml
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSStore
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
defaultCertificate:
|
||||||
|
secretName: supersecret
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: supersecret
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRouteTCP
|
||||||
|
metadata:
|
||||||
|
name: test.route
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- foo
|
||||||
|
routes:
|
||||||
|
- match: HostSNI(`foo.com`)
|
||||||
|
services:
|
||||||
|
- name: whoamitcp
|
||||||
|
port: 8000
|
||||||
|
|
||||||
|
tls:
|
||||||
|
store:
|
||||||
|
name: default
|
|
@ -0,0 +1,61 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: secretCAdefault1
|
||||||
|
namespace: foo
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: secretCAdefault2
|
||||||
|
namespace: foo
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSOption
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: foo
|
||||||
|
|
||||||
|
spec:
|
||||||
|
minVersion: VersionTLS12
|
||||||
|
sniStrict: true
|
||||||
|
cipherSuites:
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
clientAuth:
|
||||||
|
secretNames:
|
||||||
|
- secretCAdefault1
|
||||||
|
- secretCAdefault2
|
||||||
|
clientAuthType: VerifyClientCertIfGiven
|
||||||
|
preferServerCipherSuites: true
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: test.route
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
|
||||||
|
routes:
|
||||||
|
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||||
|
kind: Rule
|
||||||
|
priority: 12
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
|
||||||
|
tls:
|
||||||
|
options:
|
||||||
|
name: foo
|
|
@ -0,0 +1,61 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: secretCA1
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: secretCA2
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSOption
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
minVersion: VersionTLS12
|
||||||
|
sniStrict: true
|
||||||
|
cipherSuites:
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
clientAuth:
|
||||||
|
secretNames:
|
||||||
|
- secretCA1
|
||||||
|
- secretCA2
|
||||||
|
clientAuthType: VerifyClientCertIfGiven
|
||||||
|
preferServerCipherSuites: true
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: test.route
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
|
||||||
|
routes:
|
||||||
|
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||||
|
kind: Rule
|
||||||
|
priority: 12
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
|
||||||
|
tls:
|
||||||
|
options:
|
||||||
|
name: foo
|
|
@ -0,0 +1,43 @@
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSStore
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: foo
|
||||||
|
|
||||||
|
spec:
|
||||||
|
defaultCertificate:
|
||||||
|
secretName: supersecret
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: supersecret
|
||||||
|
namespace: foo
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: test.route
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
|
||||||
|
routes:
|
||||||
|
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||||
|
kind: Rule
|
||||||
|
priority: 12
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
|
||||||
|
tls:
|
||||||
|
store:
|
||||||
|
name: default
|
43
pkg/provider/kubernetes/crd/fixtures/with_tls_store.yml
Normal file
43
pkg/provider/kubernetes/crd/fixtures/with_tls_store.yml
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSStore
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
defaultCertificate:
|
||||||
|
secretName: supersecret
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: supersecret
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
data:
|
||||||
|
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
|
||||||
|
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: test.route
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
|
||||||
|
routes:
|
||||||
|
- match: Host(`foo.com`) && PathPrefix(`/bar`)
|
||||||
|
kind: Rule
|
||||||
|
priority: 12
|
||||||
|
services:
|
||||||
|
- name: whoami
|
||||||
|
port: 80
|
||||||
|
|
||||||
|
tls:
|
||||||
|
store:
|
||||||
|
name: default
|
|
@ -0,0 +1,136 @@
|
||||||
|
/*
|
||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2016-2020 Containous SAS
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by client-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package fake
|
||||||
|
|
||||||
|
import (
|
||||||
|
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
|
||||||
|
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
labels "k8s.io/apimachinery/pkg/labels"
|
||||||
|
schema "k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
types "k8s.io/apimachinery/pkg/types"
|
||||||
|
watch "k8s.io/apimachinery/pkg/watch"
|
||||||
|
testing "k8s.io/client-go/testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
// FakeTLSStores implements TLSStoreInterface
|
||||||
|
type FakeTLSStores struct {
|
||||||
|
Fake *FakeTraefikV1alpha1
|
||||||
|
ns string
|
||||||
|
}
|
||||||
|
|
||||||
|
var tlsstoresResource = schema.GroupVersionResource{Group: "traefik.containo.us", Version: "v1alpha1", Resource: "tlsstores"}
|
||||||
|
|
||||||
|
var tlsstoresKind = schema.GroupVersionKind{Group: "traefik.containo.us", Version: "v1alpha1", Kind: "TLSStore"}
|
||||||
|
|
||||||
|
// Get takes name of the tLSStore, and returns the corresponding tLSStore object, and an error if there is any.
|
||||||
|
func (c *FakeTLSStores) Get(name string, options v1.GetOptions) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
obj, err := c.Fake.
|
||||||
|
Invokes(testing.NewGetAction(tlsstoresResource, c.ns, name), &v1alpha1.TLSStore{})
|
||||||
|
|
||||||
|
if obj == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return obj.(*v1alpha1.TLSStore), err
|
||||||
|
}
|
||||||
|
|
||||||
|
// List takes label and field selectors, and returns the list of TLSStores that match those selectors.
|
||||||
|
func (c *FakeTLSStores) List(opts v1.ListOptions) (result *v1alpha1.TLSStoreList, err error) {
|
||||||
|
obj, err := c.Fake.
|
||||||
|
Invokes(testing.NewListAction(tlsstoresResource, tlsstoresKind, c.ns, opts), &v1alpha1.TLSStoreList{})
|
||||||
|
|
||||||
|
if obj == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
label, _, _ := testing.ExtractFromListOptions(opts)
|
||||||
|
if label == nil {
|
||||||
|
label = labels.Everything()
|
||||||
|
}
|
||||||
|
list := &v1alpha1.TLSStoreList{ListMeta: obj.(*v1alpha1.TLSStoreList).ListMeta}
|
||||||
|
for _, item := range obj.(*v1alpha1.TLSStoreList).Items {
|
||||||
|
if label.Matches(labels.Set(item.Labels)) {
|
||||||
|
list.Items = append(list.Items, item)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return list, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Watch returns a watch.Interface that watches the requested tLSStores.
|
||||||
|
func (c *FakeTLSStores) Watch(opts v1.ListOptions) (watch.Interface, error) {
|
||||||
|
return c.Fake.
|
||||||
|
InvokesWatch(testing.NewWatchAction(tlsstoresResource, c.ns, opts))
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create takes the representation of a tLSStore and creates it. Returns the server's representation of the tLSStore, and an error, if there is any.
|
||||||
|
func (c *FakeTLSStores) Create(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
obj, err := c.Fake.
|
||||||
|
Invokes(testing.NewCreateAction(tlsstoresResource, c.ns, tLSStore), &v1alpha1.TLSStore{})
|
||||||
|
|
||||||
|
if obj == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return obj.(*v1alpha1.TLSStore), err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update takes the representation of a tLSStore and updates it. Returns the server's representation of the tLSStore, and an error, if there is any.
|
||||||
|
func (c *FakeTLSStores) Update(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
obj, err := c.Fake.
|
||||||
|
Invokes(testing.NewUpdateAction(tlsstoresResource, c.ns, tLSStore), &v1alpha1.TLSStore{})
|
||||||
|
|
||||||
|
if obj == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return obj.(*v1alpha1.TLSStore), err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete takes name of the tLSStore and deletes it. Returns an error if one occurs.
|
||||||
|
func (c *FakeTLSStores) Delete(name string, options *v1.DeleteOptions) error {
|
||||||
|
_, err := c.Fake.
|
||||||
|
Invokes(testing.NewDeleteAction(tlsstoresResource, c.ns, name), &v1alpha1.TLSStore{})
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteCollection deletes a collection of objects.
|
||||||
|
func (c *FakeTLSStores) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
|
||||||
|
action := testing.NewDeleteCollectionAction(tlsstoresResource, c.ns, listOptions)
|
||||||
|
|
||||||
|
_, err := c.Fake.Invokes(action, &v1alpha1.TLSStoreList{})
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Patch applies the patch and returns the patched tLSStore.
|
||||||
|
func (c *FakeTLSStores) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
obj, err := c.Fake.
|
||||||
|
Invokes(testing.NewPatchSubresourceAction(tlsstoresResource, c.ns, name, pt, data, subresources...), &v1alpha1.TLSStore{})
|
||||||
|
|
||||||
|
if obj == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return obj.(*v1alpha1.TLSStore), err
|
||||||
|
}
|
|
@ -52,6 +52,10 @@ func (c *FakeTraefikV1alpha1) TLSOptions(namespace string) v1alpha1.TLSOptionInt
|
||||||
return &FakeTLSOptions{c, namespace}
|
return &FakeTLSOptions{c, namespace}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *FakeTraefikV1alpha1) TLSStores(namespace string) v1alpha1.TLSStoreInterface {
|
||||||
|
return &FakeTLSStores{c, namespace}
|
||||||
|
}
|
||||||
|
|
||||||
func (c *FakeTraefikV1alpha1) TraefikServices(namespace string) v1alpha1.TraefikServiceInterface {
|
func (c *FakeTraefikV1alpha1) TraefikServices(namespace string) v1alpha1.TraefikServiceInterface {
|
||||||
return &FakeTraefikServices{c, namespace}
|
return &FakeTraefikServices{c, namespace}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,4 +34,6 @@ type MiddlewareExpansion interface{}
|
||||||
|
|
||||||
type TLSOptionExpansion interface{}
|
type TLSOptionExpansion interface{}
|
||||||
|
|
||||||
|
type TLSStoreExpansion interface{}
|
||||||
|
|
||||||
type TraefikServiceExpansion interface{}
|
type TraefikServiceExpansion interface{}
|
||||||
|
|
|
@ -0,0 +1,182 @@
|
||||||
|
/*
|
||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2016-2020 Containous SAS
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by client-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package v1alpha1
|
||||||
|
|
||||||
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
|
scheme "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
|
||||||
|
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
|
||||||
|
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
types "k8s.io/apimachinery/pkg/types"
|
||||||
|
watch "k8s.io/apimachinery/pkg/watch"
|
||||||
|
rest "k8s.io/client-go/rest"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TLSStoresGetter has a method to return a TLSStoreInterface.
|
||||||
|
// A group's client should implement this interface.
|
||||||
|
type TLSStoresGetter interface {
|
||||||
|
TLSStores(namespace string) TLSStoreInterface
|
||||||
|
}
|
||||||
|
|
||||||
|
// TLSStoreInterface has methods to work with TLSStore resources.
|
||||||
|
type TLSStoreInterface interface {
|
||||||
|
Create(*v1alpha1.TLSStore) (*v1alpha1.TLSStore, error)
|
||||||
|
Update(*v1alpha1.TLSStore) (*v1alpha1.TLSStore, error)
|
||||||
|
Delete(name string, options *v1.DeleteOptions) error
|
||||||
|
DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
|
||||||
|
Get(name string, options v1.GetOptions) (*v1alpha1.TLSStore, error)
|
||||||
|
List(opts v1.ListOptions) (*v1alpha1.TLSStoreList, error)
|
||||||
|
Watch(opts v1.ListOptions) (watch.Interface, error)
|
||||||
|
Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TLSStore, err error)
|
||||||
|
TLSStoreExpansion
|
||||||
|
}
|
||||||
|
|
||||||
|
// tLSStores implements TLSStoreInterface
|
||||||
|
type tLSStores struct {
|
||||||
|
client rest.Interface
|
||||||
|
ns string
|
||||||
|
}
|
||||||
|
|
||||||
|
// newTLSStores returns a TLSStores
|
||||||
|
func newTLSStores(c *TraefikV1alpha1Client, namespace string) *tLSStores {
|
||||||
|
return &tLSStores{
|
||||||
|
client: c.RESTClient(),
|
||||||
|
ns: namespace,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get takes name of the tLSStore, and returns the corresponding tLSStore object, and an error if there is any.
|
||||||
|
func (c *tLSStores) Get(name string, options v1.GetOptions) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
result = &v1alpha1.TLSStore{}
|
||||||
|
err = c.client.Get().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
Name(name).
|
||||||
|
VersionedParams(&options, scheme.ParameterCodec).
|
||||||
|
Do().
|
||||||
|
Into(result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// List takes label and field selectors, and returns the list of TLSStores that match those selectors.
|
||||||
|
func (c *tLSStores) List(opts v1.ListOptions) (result *v1alpha1.TLSStoreList, err error) {
|
||||||
|
var timeout time.Duration
|
||||||
|
if opts.TimeoutSeconds != nil {
|
||||||
|
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
|
||||||
|
}
|
||||||
|
result = &v1alpha1.TLSStoreList{}
|
||||||
|
err = c.client.Get().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
VersionedParams(&opts, scheme.ParameterCodec).
|
||||||
|
Timeout(timeout).
|
||||||
|
Do().
|
||||||
|
Into(result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Watch returns a watch.Interface that watches the requested tLSStores.
|
||||||
|
func (c *tLSStores) Watch(opts v1.ListOptions) (watch.Interface, error) {
|
||||||
|
var timeout time.Duration
|
||||||
|
if opts.TimeoutSeconds != nil {
|
||||||
|
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
|
||||||
|
}
|
||||||
|
opts.Watch = true
|
||||||
|
return c.client.Get().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
VersionedParams(&opts, scheme.ParameterCodec).
|
||||||
|
Timeout(timeout).
|
||||||
|
Watch()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create takes the representation of a tLSStore and creates it. Returns the server's representation of the tLSStore, and an error, if there is any.
|
||||||
|
func (c *tLSStores) Create(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
result = &v1alpha1.TLSStore{}
|
||||||
|
err = c.client.Post().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
Body(tLSStore).
|
||||||
|
Do().
|
||||||
|
Into(result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update takes the representation of a tLSStore and updates it. Returns the server's representation of the tLSStore, and an error, if there is any.
|
||||||
|
func (c *tLSStores) Update(tLSStore *v1alpha1.TLSStore) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
result = &v1alpha1.TLSStore{}
|
||||||
|
err = c.client.Put().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
Name(tLSStore.Name).
|
||||||
|
Body(tLSStore).
|
||||||
|
Do().
|
||||||
|
Into(result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete takes name of the tLSStore and deletes it. Returns an error if one occurs.
|
||||||
|
func (c *tLSStores) Delete(name string, options *v1.DeleteOptions) error {
|
||||||
|
return c.client.Delete().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
Name(name).
|
||||||
|
Body(options).
|
||||||
|
Do().
|
||||||
|
Error()
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteCollection deletes a collection of objects.
|
||||||
|
func (c *tLSStores) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
|
||||||
|
var timeout time.Duration
|
||||||
|
if listOptions.TimeoutSeconds != nil {
|
||||||
|
timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
|
||||||
|
}
|
||||||
|
return c.client.Delete().
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
VersionedParams(&listOptions, scheme.ParameterCodec).
|
||||||
|
Timeout(timeout).
|
||||||
|
Body(options).
|
||||||
|
Do().
|
||||||
|
Error()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Patch applies the patch and returns the patched tLSStore.
|
||||||
|
func (c *tLSStores) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.TLSStore, err error) {
|
||||||
|
result = &v1alpha1.TLSStore{}
|
||||||
|
err = c.client.Patch(pt).
|
||||||
|
Namespace(c.ns).
|
||||||
|
Resource("tlsstores").
|
||||||
|
SubResource(subresources...).
|
||||||
|
Name(name).
|
||||||
|
Body(data).
|
||||||
|
Do().
|
||||||
|
Into(result)
|
||||||
|
return
|
||||||
|
}
|
|
@ -38,6 +38,7 @@ type TraefikV1alpha1Interface interface {
|
||||||
IngressRouteTCPsGetter
|
IngressRouteTCPsGetter
|
||||||
MiddlewaresGetter
|
MiddlewaresGetter
|
||||||
TLSOptionsGetter
|
TLSOptionsGetter
|
||||||
|
TLSStoresGetter
|
||||||
TraefikServicesGetter
|
TraefikServicesGetter
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -62,6 +63,10 @@ func (c *TraefikV1alpha1Client) TLSOptions(namespace string) TLSOptionInterface
|
||||||
return newTLSOptions(c, namespace)
|
return newTLSOptions(c, namespace)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *TraefikV1alpha1Client) TLSStores(namespace string) TLSStoreInterface {
|
||||||
|
return newTLSStores(c, namespace)
|
||||||
|
}
|
||||||
|
|
||||||
func (c *TraefikV1alpha1Client) TraefikServices(namespace string) TraefikServiceInterface {
|
func (c *TraefikV1alpha1Client) TraefikServices(namespace string) TraefikServiceInterface {
|
||||||
return newTraefikServices(c, namespace)
|
return newTraefikServices(c, namespace)
|
||||||
}
|
}
|
||||||
|
|
|
@ -69,6 +69,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().Middlewares().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().Middlewares().Informer()}, nil
|
||||||
case v1alpha1.SchemeGroupVersion.WithResource("tlsoptions"):
|
case v1alpha1.SchemeGroupVersion.WithResource("tlsoptions"):
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TLSOptions().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TLSOptions().Informer()}, nil
|
||||||
|
case v1alpha1.SchemeGroupVersion.WithResource("tlsstores"):
|
||||||
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TLSStores().Informer()}, nil
|
||||||
case v1alpha1.SchemeGroupVersion.WithResource("traefikservices"):
|
case v1alpha1.SchemeGroupVersion.WithResource("traefikservices"):
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TraefikServices().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().TraefikServices().Informer()}, nil
|
||||||
|
|
||||||
|
|
|
@ -40,6 +40,8 @@ type Interface interface {
|
||||||
Middlewares() MiddlewareInformer
|
Middlewares() MiddlewareInformer
|
||||||
// TLSOptions returns a TLSOptionInformer.
|
// TLSOptions returns a TLSOptionInformer.
|
||||||
TLSOptions() TLSOptionInformer
|
TLSOptions() TLSOptionInformer
|
||||||
|
// TLSStores returns a TLSStoreInformer.
|
||||||
|
TLSStores() TLSStoreInformer
|
||||||
// TraefikServices returns a TraefikServiceInformer.
|
// TraefikServices returns a TraefikServiceInformer.
|
||||||
TraefikServices() TraefikServiceInformer
|
TraefikServices() TraefikServiceInformer
|
||||||
}
|
}
|
||||||
|
@ -75,6 +77,11 @@ func (v *version) TLSOptions() TLSOptionInformer {
|
||||||
return &tLSOptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
return &tLSOptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TLSStores returns a TLSStoreInformer.
|
||||||
|
func (v *version) TLSStores() TLSStoreInformer {
|
||||||
|
return &tLSStoreInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||||
|
}
|
||||||
|
|
||||||
// TraefikServices returns a TraefikServiceInformer.
|
// TraefikServices returns a TraefikServiceInformer.
|
||||||
func (v *version) TraefikServices() TraefikServiceInformer {
|
func (v *version) TraefikServices() TraefikServiceInformer {
|
||||||
return &traefikServiceInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
return &traefikServiceInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||||
|
|
|
@ -0,0 +1,97 @@
|
||||||
|
/*
|
||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2016-2020 Containous SAS
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by informer-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package v1alpha1
|
||||||
|
|
||||||
|
import (
|
||||||
|
time "time"
|
||||||
|
|
||||||
|
versioned "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned"
|
||||||
|
internalinterfaces "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions/internalinterfaces"
|
||||||
|
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1"
|
||||||
|
traefikv1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
|
||||||
|
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||||
|
watch "k8s.io/apimachinery/pkg/watch"
|
||||||
|
cache "k8s.io/client-go/tools/cache"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TLSStoreInformer provides access to a shared informer and lister for
|
||||||
|
// TLSStores.
|
||||||
|
type TLSStoreInformer interface {
|
||||||
|
Informer() cache.SharedIndexInformer
|
||||||
|
Lister() v1alpha1.TLSStoreLister
|
||||||
|
}
|
||||||
|
|
||||||
|
type tLSStoreInformer struct {
|
||||||
|
factory internalinterfaces.SharedInformerFactory
|
||||||
|
tweakListOptions internalinterfaces.TweakListOptionsFunc
|
||||||
|
namespace string
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewTLSStoreInformer constructs a new informer for TLSStore type.
|
||||||
|
// Always prefer using an informer factory to get a shared informer instead of getting an independent
|
||||||
|
// one. This reduces memory footprint and number of connections to the server.
|
||||||
|
func NewTLSStoreInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
|
||||||
|
return NewFilteredTLSStoreInformer(client, namespace, resyncPeriod, indexers, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFilteredTLSStoreInformer constructs a new informer for TLSStore type.
|
||||||
|
// Always prefer using an informer factory to get a shared informer instead of getting an independent
|
||||||
|
// one. This reduces memory footprint and number of connections to the server.
|
||||||
|
func NewFilteredTLSStoreInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
|
||||||
|
return cache.NewSharedIndexInformer(
|
||||||
|
&cache.ListWatch{
|
||||||
|
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
|
||||||
|
if tweakListOptions != nil {
|
||||||
|
tweakListOptions(&options)
|
||||||
|
}
|
||||||
|
return client.TraefikV1alpha1().TLSStores(namespace).List(options)
|
||||||
|
},
|
||||||
|
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
|
||||||
|
if tweakListOptions != nil {
|
||||||
|
tweakListOptions(&options)
|
||||||
|
}
|
||||||
|
return client.TraefikV1alpha1().TLSStores(namespace).Watch(options)
|
||||||
|
},
|
||||||
|
},
|
||||||
|
&traefikv1alpha1.TLSStore{},
|
||||||
|
resyncPeriod,
|
||||||
|
indexers,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *tLSStoreInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
|
||||||
|
return NewFilteredTLSStoreInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *tLSStoreInformer) Informer() cache.SharedIndexInformer {
|
||||||
|
return f.factory.InformerFor(&traefikv1alpha1.TLSStore{}, f.defaultInformer)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *tLSStoreInformer) Lister() v1alpha1.TLSStoreLister {
|
||||||
|
return v1alpha1.NewTLSStoreLister(f.Informer().GetIndexer())
|
||||||
|
}
|
|
@ -58,6 +58,14 @@ type TLSOptionListerExpansion interface{}
|
||||||
// TLSOptionNamespaceLister.
|
// TLSOptionNamespaceLister.
|
||||||
type TLSOptionNamespaceListerExpansion interface{}
|
type TLSOptionNamespaceListerExpansion interface{}
|
||||||
|
|
||||||
|
// TLSStoreListerExpansion allows custom methods to be added to
|
||||||
|
// TLSStoreLister.
|
||||||
|
type TLSStoreListerExpansion interface{}
|
||||||
|
|
||||||
|
// TLSStoreNamespaceListerExpansion allows custom methods to be added to
|
||||||
|
// TLSStoreNamespaceLister.
|
||||||
|
type TLSStoreNamespaceListerExpansion interface{}
|
||||||
|
|
||||||
// TraefikServiceListerExpansion allows custom methods to be added to
|
// TraefikServiceListerExpansion allows custom methods to be added to
|
||||||
// TraefikServiceLister.
|
// TraefikServiceLister.
|
||||||
type TraefikServiceListerExpansion interface{}
|
type TraefikServiceListerExpansion interface{}
|
||||||
|
|
|
@ -0,0 +1,102 @@
|
||||||
|
/*
|
||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2016-2020 Containous SAS
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by lister-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package v1alpha1
|
||||||
|
|
||||||
|
import (
|
||||||
|
v1alpha1 "github.com/containous/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
|
||||||
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
|
"k8s.io/client-go/tools/cache"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TLSStoreLister helps list TLSStores.
|
||||||
|
type TLSStoreLister interface {
|
||||||
|
// List lists all TLSStores in the indexer.
|
||||||
|
List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error)
|
||||||
|
// TLSStores returns an object that can list and get TLSStores.
|
||||||
|
TLSStores(namespace string) TLSStoreNamespaceLister
|
||||||
|
TLSStoreListerExpansion
|
||||||
|
}
|
||||||
|
|
||||||
|
// tLSStoreLister implements the TLSStoreLister interface.
|
||||||
|
type tLSStoreLister struct {
|
||||||
|
indexer cache.Indexer
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewTLSStoreLister returns a new TLSStoreLister.
|
||||||
|
func NewTLSStoreLister(indexer cache.Indexer) TLSStoreLister {
|
||||||
|
return &tLSStoreLister{indexer: indexer}
|
||||||
|
}
|
||||||
|
|
||||||
|
// List lists all TLSStores in the indexer.
|
||||||
|
func (s *tLSStoreLister) List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error) {
|
||||||
|
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
|
||||||
|
ret = append(ret, m.(*v1alpha1.TLSStore))
|
||||||
|
})
|
||||||
|
return ret, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// TLSStores returns an object that can list and get TLSStores.
|
||||||
|
func (s *tLSStoreLister) TLSStores(namespace string) TLSStoreNamespaceLister {
|
||||||
|
return tLSStoreNamespaceLister{indexer: s.indexer, namespace: namespace}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TLSStoreNamespaceLister helps list and get TLSStores.
|
||||||
|
type TLSStoreNamespaceLister interface {
|
||||||
|
// List lists all TLSStores in the indexer for a given namespace.
|
||||||
|
List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error)
|
||||||
|
// Get retrieves the TLSStore from the indexer for a given namespace and name.
|
||||||
|
Get(name string) (*v1alpha1.TLSStore, error)
|
||||||
|
TLSStoreNamespaceListerExpansion
|
||||||
|
}
|
||||||
|
|
||||||
|
// tLSStoreNamespaceLister implements the TLSStoreNamespaceLister
|
||||||
|
// interface.
|
||||||
|
type tLSStoreNamespaceLister struct {
|
||||||
|
indexer cache.Indexer
|
||||||
|
namespace string
|
||||||
|
}
|
||||||
|
|
||||||
|
// List lists all TLSStores in the indexer for a given namespace.
|
||||||
|
func (s tLSStoreNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.TLSStore, err error) {
|
||||||
|
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
|
||||||
|
ret = append(ret, m.(*v1alpha1.TLSStore))
|
||||||
|
})
|
||||||
|
return ret, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get retrieves the TLSStore from the indexer for a given namespace and name.
|
||||||
|
func (s tLSStoreNamespaceLister) Get(name string) (*v1alpha1.TLSStore, error) {
|
||||||
|
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if !exists {
|
||||||
|
return nil, errors.NewNotFound(v1alpha1.Resource("tlsstore"), name)
|
||||||
|
}
|
||||||
|
return obj.(*v1alpha1.TLSStore), nil
|
||||||
|
}
|
|
@ -171,6 +171,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Certificates: getTLSConfig(tlsConfigs),
|
Certificates: getTLSConfig(tlsConfigs),
|
||||||
Options: buildTLSOptions(ctx, client),
|
Options: buildTLSOptions(ctx, client),
|
||||||
|
Stores: buildTLSStores(ctx, client),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -466,6 +467,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
||||||
return tlsOptions
|
return tlsOptions
|
||||||
}
|
}
|
||||||
tlsOptions = make(map[string]tls.Options)
|
tlsOptions = make(map[string]tls.Options)
|
||||||
|
var nsDefault []string
|
||||||
|
|
||||||
for _, tlsOption := range tlsOptionsCRD {
|
for _, tlsOption := range tlsOptionsCRD {
|
||||||
logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
|
logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
|
||||||
|
@ -492,7 +494,13 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
||||||
clientCAs = append(clientCAs, tls.FileOrContent(cert))
|
clientCAs = append(clientCAs, tls.FileOrContent(cert))
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
|
id := makeID(tlsOption.Namespace, tlsOption.Name)
|
||||||
|
// If the name is default, we override the default config.
|
||||||
|
if tlsOption.Name == "default" {
|
||||||
|
id = tlsOption.Name
|
||||||
|
nsDefault = append(nsDefault, tlsOption.Namespace)
|
||||||
|
}
|
||||||
|
tlsOptions[id] = tls.Options{
|
||||||
MinVersion: tlsOption.Spec.MinVersion,
|
MinVersion: tlsOption.Spec.MinVersion,
|
||||||
MaxVersion: tlsOption.Spec.MaxVersion,
|
MaxVersion: tlsOption.Spec.MaxVersion,
|
||||||
CipherSuites: tlsOption.Spec.CipherSuites,
|
CipherSuites: tlsOption.Spec.CipherSuites,
|
||||||
|
@ -505,9 +513,68 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
||||||
PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
|
PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(nsDefault) > 1 {
|
||||||
|
delete(tlsOptions, "default")
|
||||||
|
log.FromContext(ctx).Errorf("Default TLS Options defined in multiple namespaces: %v", nsDefault)
|
||||||
|
}
|
||||||
|
|
||||||
return tlsOptions
|
return tlsOptions
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func buildTLSStores(ctx context.Context, client Client) map[string]tls.Store {
|
||||||
|
tlsStoreCRD := client.GetTLSStores()
|
||||||
|
var tlsStores map[string]tls.Store
|
||||||
|
|
||||||
|
if len(tlsStoreCRD) == 0 {
|
||||||
|
return tlsStores
|
||||||
|
}
|
||||||
|
tlsStores = make(map[string]tls.Store)
|
||||||
|
var nsDefault []string
|
||||||
|
|
||||||
|
for _, tlsStore := range tlsStoreCRD {
|
||||||
|
namespace := tlsStore.Namespace
|
||||||
|
secretName := tlsStore.Spec.DefaultCertificate.SecretName
|
||||||
|
logger := log.FromContext(log.With(ctx, log.Str("tlsStore", tlsStore.Name), log.Str("namespace", namespace), log.Str("secretName", secretName)))
|
||||||
|
|
||||||
|
secret, exists, err := client.GetSecret(namespace, secretName)
|
||||||
|
if err != nil {
|
||||||
|
logger.Errorf("Failed to fetch secret %s/%s: %v", namespace, secretName, err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if !exists {
|
||||||
|
logger.Errorf("Secret %s/%s does not exist", namespace, secretName)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, key, err := getCertificateBlocks(secret, namespace, secretName)
|
||||||
|
if err != nil {
|
||||||
|
logger.Errorf("Could not get certificate blocks: %v", err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
id := makeID(tlsStore.Namespace, tlsStore.Name)
|
||||||
|
// If the name is default, we override the default config.
|
||||||
|
if tlsStore.Name == "default" {
|
||||||
|
id = tlsStore.Name
|
||||||
|
nsDefault = append(nsDefault, tlsStore.Namespace)
|
||||||
|
}
|
||||||
|
tlsStores[id] = tls.Store{
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: tls.FileOrContent(cert),
|
||||||
|
KeyFile: tls.FileOrContent(key),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(nsDefault) > 1 {
|
||||||
|
delete(tlsStores, "default")
|
||||||
|
log.FromContext(ctx).Errorf("Default TLS Stores defined in multiple namespaces: %v", nsDefault)
|
||||||
|
}
|
||||||
|
|
||||||
|
return tlsStores
|
||||||
|
}
|
||||||
|
|
||||||
func checkStringQuoteValidity(value string) error {
|
func checkStringQuoteValidity(value string) error {
|
||||||
_, err := strconv.Unquote(`"` + value + `"`)
|
_, err := strconv.Unquote(`"` + value + `"`)
|
||||||
return err
|
return err
|
||||||
|
|
|
@ -746,6 +746,53 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "TLS with tls Store",
|
||||||
|
paths: []string{"tcp/services.yml", "tcp/with_tls_store.yml"},
|
||||||
|
expected: &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{
|
||||||
|
"default": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||||
|
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
TCP: &dynamic.TCPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.TCPRouter{
|
||||||
|
"default-test.route-fdd3e9338e47a45efefc": {
|
||||||
|
EntryPoints: []string{"foo"},
|
||||||
|
Service: "default-test.route-fdd3e9338e47a45efefc",
|
||||||
|
Rule: "HostSNI(`foo.com`)",
|
||||||
|
TLS: &dynamic.RouterTCPTLSConfig{},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Services: map[string]*dynamic.TCPService{
|
||||||
|
"default-test.route-fdd3e9338e47a45efefc": {
|
||||||
|
LoadBalancer: &dynamic.TCPServersLoadBalancer{
|
||||||
|
Servers: []dynamic.TCPServer{
|
||||||
|
{
|
||||||
|
Address: "10.10.0.1:8000",
|
||||||
|
Port: "",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Address: "10.10.0.2:8000",
|
||||||
|
Port: "",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
HTTP: &dynamic.HTTPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.Router{},
|
||||||
|
Middlewares: map[string]*dynamic.Middleware{},
|
||||||
|
Services: map[string]*dynamic.Service{},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range testCases {
|
for _, test := range testCases {
|
||||||
|
@ -1937,6 +1984,107 @@ func TestLoadIngressRoutes(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "TLS with two default tls options",
|
||||||
|
paths: []string{"services.yml", "with_default_tls_options.yml", "with_default_tls_options_default_namespace.yml"},
|
||||||
|
expected: &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Options: map[string]tls.Options{},
|
||||||
|
},
|
||||||
|
TCP: &dynamic.TCPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.TCPRouter{},
|
||||||
|
Services: map[string]*dynamic.TCPService{},
|
||||||
|
},
|
||||||
|
HTTP: &dynamic.HTTPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.Router{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
EntryPoints: []string{"web"},
|
||||||
|
Service: "default-test-route-6b204d94623b3df4370c",
|
||||||
|
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
|
||||||
|
Priority: 12,
|
||||||
|
TLS: &dynamic.RouterTLSConfig{
|
||||||
|
Options: "default-foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Middlewares: map[string]*dynamic.Middleware{},
|
||||||
|
Services: map[string]*dynamic.Service{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
LoadBalancer: &dynamic.ServersLoadBalancer{
|
||||||
|
Servers: []dynamic.Server{
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.1:80",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.2:80",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
PassHostHeader: Bool(true),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "TLS with default tls options",
|
||||||
|
paths: []string{"services.yml", "with_default_tls_options.yml"},
|
||||||
|
expected: &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Options: map[string]tls.Options{
|
||||||
|
"default": {
|
||||||
|
MinVersion: "VersionTLS12",
|
||||||
|
CipherSuites: []string{
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
},
|
||||||
|
ClientAuth: tls.ClientAuth{
|
||||||
|
CAFiles: []tls.FileOrContent{
|
||||||
|
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||||
|
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||||
|
},
|
||||||
|
ClientAuthType: "VerifyClientCertIfGiven",
|
||||||
|
},
|
||||||
|
SniStrict: true,
|
||||||
|
PreferServerCipherSuites: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
TCP: &dynamic.TCPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.TCPRouter{},
|
||||||
|
Services: map[string]*dynamic.TCPService{},
|
||||||
|
},
|
||||||
|
HTTP: &dynamic.HTTPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.Router{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
EntryPoints: []string{"web"},
|
||||||
|
Service: "default-test-route-6b204d94623b3df4370c",
|
||||||
|
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
|
||||||
|
Priority: 12,
|
||||||
|
TLS: &dynamic.RouterTLSConfig{
|
||||||
|
Options: "default-foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Middlewares: map[string]*dynamic.Middleware{},
|
||||||
|
Services: map[string]*dynamic.Service{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
LoadBalancer: &dynamic.ServersLoadBalancer{
|
||||||
|
Servers: []dynamic.Server{
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.1:80",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.2:80",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
PassHostHeader: Bool(true),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
desc: "TLS with tls options and specific namespace",
|
desc: "TLS with tls options and specific namespace",
|
||||||
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
|
paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
|
||||||
|
@ -2369,6 +2517,93 @@ func TestLoadIngressRoutes(t *testing.T) {
|
||||||
TLS: &dynamic.TLSConfiguration{},
|
TLS: &dynamic.TLSConfiguration{},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "TLS with tls store",
|
||||||
|
paths: []string{"services.yml", "with_tls_store.yml"},
|
||||||
|
expected: &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{
|
||||||
|
"default": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||||
|
KeyFile: tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
TCP: &dynamic.TCPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.TCPRouter{},
|
||||||
|
Services: map[string]*dynamic.TCPService{},
|
||||||
|
},
|
||||||
|
HTTP: &dynamic.HTTPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.Router{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
EntryPoints: []string{"web"},
|
||||||
|
Service: "default-test-route-6b204d94623b3df4370c",
|
||||||
|
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
|
||||||
|
Priority: 12,
|
||||||
|
TLS: &dynamic.RouterTLSConfig{},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Middlewares: map[string]*dynamic.Middleware{},
|
||||||
|
Services: map[string]*dynamic.Service{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
LoadBalancer: &dynamic.ServersLoadBalancer{
|
||||||
|
Servers: []dynamic.Server{
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.1:80",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.2:80",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
PassHostHeader: Bool(true),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "TLS with tls store default two times",
|
||||||
|
paths: []string{"services.yml", "with_tls_store.yml", "with_default_tls_store.yml"},
|
||||||
|
expected: &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{},
|
||||||
|
},
|
||||||
|
TCP: &dynamic.TCPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.TCPRouter{},
|
||||||
|
Services: map[string]*dynamic.TCPService{},
|
||||||
|
},
|
||||||
|
HTTP: &dynamic.HTTPConfiguration{
|
||||||
|
Routers: map[string]*dynamic.Router{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
EntryPoints: []string{"web"},
|
||||||
|
Service: "default-test-route-6b204d94623b3df4370c",
|
||||||
|
Rule: "Host(`foo.com`) && PathPrefix(`/bar`)",
|
||||||
|
Priority: 12,
|
||||||
|
TLS: &dynamic.RouterTLSConfig{},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Middlewares: map[string]*dynamic.Middleware{},
|
||||||
|
Services: map[string]*dynamic.Service{
|
||||||
|
"default-test-route-6b204d94623b3df4370c": {
|
||||||
|
LoadBalancer: &dynamic.ServersLoadBalancer{
|
||||||
|
Servers: []dynamic.Server{
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.1:80",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
URL: "http://10.10.0.2:80",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
PassHostHeader: Bool(true),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
desc: "port selected by name (TODO)",
|
desc: "port selected by name (TODO)",
|
||||||
},
|
},
|
||||||
|
|
|
@ -39,6 +39,8 @@ type TLS struct {
|
||||||
SecretName string `json:"secretName"`
|
SecretName string `json:"secretName"`
|
||||||
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||||
Options *TLSOptionRef `json:"options,omitempty"`
|
Options *TLSOptionRef `json:"options,omitempty"`
|
||||||
|
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
|
||||||
|
Store *TLSStoreRef `json:"store,omitempty"`
|
||||||
CertResolver string `json:"certResolver,omitempty"`
|
CertResolver string `json:"certResolver,omitempty"`
|
||||||
Domains []types.Domain `json:"domains,omitempty"`
|
Domains []types.Domain `json:"domains,omitempty"`
|
||||||
}
|
}
|
||||||
|
@ -49,6 +51,12 @@ type TLSOptionRef struct {
|
||||||
Namespace string `json:"namespace"`
|
Namespace string `json:"namespace"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TLSStoreRef is a ref to the TLSStore resource.
|
||||||
|
type TLSStoreRef struct {
|
||||||
|
Name string `json:"name"`
|
||||||
|
Namespace string `json:"namespace"`
|
||||||
|
}
|
||||||
|
|
||||||
// LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers),
|
// LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers),
|
||||||
// or a TraefikService object (a traefik load-balancer of services).
|
// or a TraefikService object (a traefik load-balancer of services).
|
||||||
type LoadBalancerSpec struct {
|
type LoadBalancerSpec struct {
|
||||||
|
|
|
@ -33,6 +33,8 @@ type TLSTCP struct {
|
||||||
Passthrough bool `json:"passthrough"`
|
Passthrough bool `json:"passthrough"`
|
||||||
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||||
Options *TLSOptionTCPRef `json:"options"`
|
Options *TLSOptionTCPRef `json:"options"`
|
||||||
|
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
|
||||||
|
Store *TLSStoreTCPRef `json:"store"`
|
||||||
CertResolver string `json:"certResolver"`
|
CertResolver string `json:"certResolver"`
|
||||||
Domains []types.Domain `json:"domains,omitempty"`
|
Domains []types.Domain `json:"domains,omitempty"`
|
||||||
}
|
}
|
||||||
|
@ -43,6 +45,12 @@ type TLSOptionTCPRef struct {
|
||||||
Namespace string `json:"namespace"`
|
Namespace string `json:"namespace"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TLSStoreTCPRef is a ref to the TLSStore resources.
|
||||||
|
type TLSStoreTCPRef struct {
|
||||||
|
Name string `json:"name"`
|
||||||
|
Namespace string `json:"namespace"`
|
||||||
|
}
|
||||||
|
|
||||||
// ServiceTCP defines an upstream to proxy traffic.
|
// ServiceTCP defines an upstream to proxy traffic.
|
||||||
type ServiceTCP struct {
|
type ServiceTCP struct {
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
|
|
|
@ -41,6 +41,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
|
||||||
&MiddlewareList{},
|
&MiddlewareList{},
|
||||||
&TLSOption{},
|
&TLSOption{},
|
||||||
&TLSOptionList{},
|
&TLSOptionList{},
|
||||||
|
&TLSStore{},
|
||||||
|
&TLSStoreList{},
|
||||||
&TraefikService{},
|
&TraefikService{},
|
||||||
&TraefikServiceList{},
|
&TraefikServiceList{},
|
||||||
)
|
)
|
||||||
|
|
42
pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go
Normal file
42
pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsstore.go
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
package v1alpha1
|
||||||
|
|
||||||
|
import (
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
// +genclient
|
||||||
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
|
||||||
|
// TLSStore is a specification for a TLSStore resource.
|
||||||
|
type TLSStore struct {
|
||||||
|
metav1.TypeMeta `json:",inline"`
|
||||||
|
metav1.ObjectMeta `json:"metadata"`
|
||||||
|
|
||||||
|
Spec TLSStoreSpec `json:"spec"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
|
// TLSStoreSpec configures a TLSStore resource.
|
||||||
|
type TLSStoreSpec struct {
|
||||||
|
DefaultCertificate DefaultCertificate `json:"defaultCertificate"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
|
// DefaultCertificate holds a secret name for the TLSOption resource.
|
||||||
|
type DefaultCertificate struct {
|
||||||
|
// SecretName is the name of the referenced Kubernetes Secret to specify the
|
||||||
|
// certificate details.
|
||||||
|
SecretName string `json:"secretName,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
|
||||||
|
// TLSStoreList is a list of TLSStore resources.
|
||||||
|
type TLSStoreList struct {
|
||||||
|
metav1.TypeMeta `json:",inline"`
|
||||||
|
metav1.ListMeta `json:"metadata"`
|
||||||
|
|
||||||
|
Items []TLSStore `json:"items"`
|
||||||
|
}
|
|
@ -108,6 +108,22 @@ func (in *ClientTLS) DeepCopy() *ClientTLS {
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *DefaultCertificate) DeepCopyInto(out *DefaultCertificate) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultCertificate.
|
||||||
|
func (in *DefaultCertificate) DeepCopy() *DefaultCertificate {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(DefaultCertificate)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *DigestAuth) DeepCopyInto(out *DigestAuth) {
|
func (in *DigestAuth) DeepCopyInto(out *DigestAuth) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -793,6 +809,11 @@ func (in *TLS) DeepCopyInto(out *TLS) {
|
||||||
*out = new(TLSOptionRef)
|
*out = new(TLSOptionRef)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
|
if in.Store != nil {
|
||||||
|
in, out := &in.Store, &out.Store
|
||||||
|
*out = new(TLSStoreRef)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
if in.Domains != nil {
|
if in.Domains != nil {
|
||||||
in, out := &in.Domains, &out.Domains
|
in, out := &in.Domains, &out.Domains
|
||||||
*out = make([]types.Domain, len(*in))
|
*out = make([]types.Domain, len(*in))
|
||||||
|
@ -932,6 +953,115 @@ func (in *TLSOptionTCPRef) DeepCopy() *TLSOptionTCPRef {
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *TLSStore) DeepCopyInto(out *TLSStore) {
|
||||||
|
*out = *in
|
||||||
|
out.TypeMeta = in.TypeMeta
|
||||||
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
|
out.Spec = in.Spec
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStore.
|
||||||
|
func (in *TLSStore) DeepCopy() *TLSStore {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(TLSStore)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||||
|
func (in *TLSStore) DeepCopyObject() runtime.Object {
|
||||||
|
if c := in.DeepCopy(); c != nil {
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *TLSStoreList) DeepCopyInto(out *TLSStoreList) {
|
||||||
|
*out = *in
|
||||||
|
out.TypeMeta = in.TypeMeta
|
||||||
|
in.ListMeta.DeepCopyInto(&out.ListMeta)
|
||||||
|
if in.Items != nil {
|
||||||
|
in, out := &in.Items, &out.Items
|
||||||
|
*out = make([]TLSStore, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreList.
|
||||||
|
func (in *TLSStoreList) DeepCopy() *TLSStoreList {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(TLSStoreList)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||||
|
func (in *TLSStoreList) DeepCopyObject() runtime.Object {
|
||||||
|
if c := in.DeepCopy(); c != nil {
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *TLSStoreRef) DeepCopyInto(out *TLSStoreRef) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreRef.
|
||||||
|
func (in *TLSStoreRef) DeepCopy() *TLSStoreRef {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(TLSStoreRef)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *TLSStoreSpec) DeepCopyInto(out *TLSStoreSpec) {
|
||||||
|
*out = *in
|
||||||
|
out.DefaultCertificate = in.DefaultCertificate
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreSpec.
|
||||||
|
func (in *TLSStoreSpec) DeepCopy() *TLSStoreSpec {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(TLSStoreSpec)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *TLSStoreTCPRef) DeepCopyInto(out *TLSStoreTCPRef) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreTCPRef.
|
||||||
|
func (in *TLSStoreTCPRef) DeepCopy() *TLSStoreTCPRef {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(TLSStoreTCPRef)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TLSTCP) DeepCopyInto(out *TLSTCP) {
|
func (in *TLSTCP) DeepCopyInto(out *TLSTCP) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -940,6 +1070,11 @@ func (in *TLSTCP) DeepCopyInto(out *TLSTCP) {
|
||||||
*out = new(TLSOptionTCPRef)
|
*out = new(TLSOptionTCPRef)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
|
if in.Store != nil {
|
||||||
|
in, out := &in.Store, &out.Store
|
||||||
|
*out = new(TLSStoreTCPRef)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
if in.Domains != nil {
|
if in.Domains != nil {
|
||||||
in, out := &in.Domains, &out.Domains
|
in, out := &in.Domains, &out.Domains
|
||||||
*out = make([]types.Domain, len(*in))
|
*out = make([]types.Domain, len(*in))
|
||||||
|
|
|
@ -12,7 +12,7 @@ import (
|
||||||
|
|
||||||
// MustParseYaml parses a YAML to objects.
|
// MustParseYaml parses a YAML to objects.
|
||||||
func MustParseYaml(content []byte) []runtime.Object {
|
func MustParseYaml(content []byte) []runtime.Object {
|
||||||
acceptedK8sTypes := regexp.MustCompile(`^(Deployment|Endpoints|Service|Ingress|IngressRoute|IngressRouteTCP|Middleware|Secret|TLSOption|TraefikService)$`)
|
acceptedK8sTypes := regexp.MustCompile(`^(Deployment|Endpoints|Service|Ingress|IngressRoute|IngressRouteTCP|Middleware|Secret|TLSOption|TLSStore|TraefikService)$`)
|
||||||
|
|
||||||
files := strings.Split(string(content), "---")
|
files := strings.Split(string(content), "---")
|
||||||
retVal := make([]runtime.Object, 0, len(files))
|
retVal := make([]runtime.Object, 0, len(files))
|
||||||
|
|
|
@ -29,6 +29,7 @@ func mergeConfiguration(configurations dynamic.Configurations) dynamic.Configura
|
||||||
}
|
}
|
||||||
|
|
||||||
var defaultTLSOptionProviders []string
|
var defaultTLSOptionProviders []string
|
||||||
|
var defaultTLSStoreProviders []string
|
||||||
for pvd, configuration := range configurations {
|
for pvd, configuration := range configurations {
|
||||||
if configuration.HTTP != nil {
|
if configuration.HTTP != nil {
|
||||||
for routerName, router := range configuration.HTTP.Routers {
|
for routerName, router := range configuration.HTTP.Routers {
|
||||||
|
@ -64,6 +65,11 @@ func mergeConfiguration(configurations dynamic.Configurations) dynamic.Configura
|
||||||
conf.TLS.Certificates = append(conf.TLS.Certificates, configuration.TLS.Certificates...)
|
conf.TLS.Certificates = append(conf.TLS.Certificates, configuration.TLS.Certificates...)
|
||||||
|
|
||||||
for key, store := range configuration.TLS.Stores {
|
for key, store := range configuration.TLS.Stores {
|
||||||
|
if key != "default" {
|
||||||
|
key = provider.MakeQualifiedName(pvd, key)
|
||||||
|
} else {
|
||||||
|
defaultTLSStoreProviders = append(defaultTLSStoreProviders, pvd)
|
||||||
|
}
|
||||||
conf.TLS.Stores[key] = store
|
conf.TLS.Stores[key] = store
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -79,6 +85,11 @@ func mergeConfiguration(configurations dynamic.Configurations) dynamic.Configura
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(defaultTLSStoreProviders) > 1 {
|
||||||
|
log.WithoutContext().Errorf("Default TLS Stores defined multiple times in %v", defaultTLSOptionProviders)
|
||||||
|
delete(conf.TLS.Stores, "default")
|
||||||
|
}
|
||||||
|
|
||||||
if len(defaultTLSOptionProviders) == 0 {
|
if len(defaultTLSOptionProviders) == 0 {
|
||||||
conf.TLS.Options["default"] = tls.DefaultTLSOptions
|
conf.TLS.Options["default"] = tls.DefaultTLSOptions
|
||||||
} else if len(defaultTLSOptionProviders) > 1 {
|
} else if len(defaultTLSOptionProviders) > 1 {
|
||||||
|
|
|
@ -294,3 +294,95 @@ func TestAggregator_tlsoptions(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAggregator_tlsStore(t *testing.T) {
|
||||||
|
testCases := []struct {
|
||||||
|
desc string
|
||||||
|
given dynamic.Configurations
|
||||||
|
expected map[string]tls.Store
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
desc: "Create a valid default tls store when appears only in one provider",
|
||||||
|
given: dynamic.Configurations{
|
||||||
|
"provider-1": &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{
|
||||||
|
"default": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: "foo",
|
||||||
|
KeyFile: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"provider-2": &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{
|
||||||
|
"foo": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: "foo",
|
||||||
|
KeyFile: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: map[string]tls.Store{
|
||||||
|
"default": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: "foo",
|
||||||
|
KeyFile: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"foo@provider-2": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: "foo",
|
||||||
|
KeyFile: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "Don't default tls store when appears two times",
|
||||||
|
given: dynamic.Configurations{
|
||||||
|
"provider-1": &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{
|
||||||
|
"default": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: "foo",
|
||||||
|
KeyFile: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"provider-2": &dynamic.Configuration{
|
||||||
|
TLS: &dynamic.TLSConfiguration{
|
||||||
|
Stores: map[string]tls.Store{
|
||||||
|
"default": {
|
||||||
|
DefaultCertificate: &tls.Certificate{
|
||||||
|
CertFile: "foo",
|
||||||
|
KeyFile: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: map[string]tls.Store{},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, test := range testCases {
|
||||||
|
test := test
|
||||||
|
t.Run(test.desc, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
actual := mergeConfiguration(test.given)
|
||||||
|
assert.Equal(t, test.expected, actual.TLS.Stores)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue