knative-extensions · KauzClay · Mar 18, 2024 · Mar 18, 2024 · Mar 19, 2024 · Mar 19, 2024
diff --git a/config/config-gateway.yaml b/config/config-gateway.yaml
@@ -51,3 +51,9 @@ data:
         class: istio
         gateway: istio-system/knative-local-gateway
         service: istio-system/knative-local-gateway
+
+    # If auto-TLS is disabled fallback to the following certificate
+    #
+    # An operator is required to setup a ReferenceGrant
+    # for this secret to be used
+    default-tls-secret: "some-namespace/some-secret"
diff --git a/pkg/reconciler/ingress/config/gateway.go b/pkg/reconciler/ingress/config/gateway.go
@@ -22,6 +22,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/cache"
+	"knative.dev/pkg/configmap"
 	"sigs.k8s.io/yaml"
 
 	"knative.dev/networking/pkg/apis/networking/v1alpha1"
@@ -35,6 +36,8 @@ const (
 
 	visibilityConfigKey = "visibility"
 
+	defaultTLSSecretKey = "default-tls-secret" // #nosec G101
+
 	// defaultGatewayClass is the gatewayclass name for the gateway.
 	defaultGatewayClass = "istio"
 )
@@ -73,35 +76,39 @@ type Gateway struct {
 	// corresponding gateway.  If multiple selectors match, we choose
 	// the most specific selector.
 	Gateways map[v1alpha1.IngressVisibility]GatewayConfig
+
+	DefaultTLSSecret *types.NamespacedName
 }
 
 // NewGatewayFromConfigMap creates a Gateway from the supplied ConfigMap
 func NewGatewayFromConfigMap(configMap *corev1.ConfigMap) (*Gateway, error) {
-	v, ok := configMap.Data[visibilityConfigKey]
-	if !ok {
-		// These are the defaults.
-		return &Gateway{
-			Gateways: map[v1alpha1.IngressVisibility]GatewayConfig{
-				v1alpha1.IngressVisibilityExternalIP:   {GatewayClass: defaultGatewayClass, Gateway: defaultIstioGateway, Service: defaultGatewayService},
-				v1alpha1.IngressVisibilityClusterLocal: {GatewayClass: defaultGatewayClass, Gateway: defaultIstioLocalGateway, Service: defaultLocalGatewayService},
-			},
-		}, nil
-	}
 
-	visConfig := make(map[v1alpha1.IngressVisibility]visibilityValue)
-	if err := yaml.Unmarshal([]byte(v), &visConfig); err != nil {
+	var defaultTLSSecret *types.NamespacedName
+	if err := configmap.Parse(configMap.Data, configmap.AsOptionalNamespacedName(defaultTLSSecretKey, &defaultTLSSecret)); err != nil {
 		return nil, err
 	}
 
-	for _, vis := range []v1alpha1.IngressVisibility{
-		v1alpha1.IngressVisibilityClusterLocal,
-		v1alpha1.IngressVisibilityExternalIP,
-	} {
-		if _, ok := visConfig[vis]; !ok {
-			return nil, fmt.Errorf("visibility %q must not be empty", vis)
+	v, ok := configMap.Data[visibilityConfigKey]
+	visConfig := make(map[v1alpha1.IngressVisibility]visibilityValue)
+	if !ok {
+		// These are the defaults.
+		visConfig[v1alpha1.IngressVisibilityExternalIP] = visibilityValue{GatewayClass: defaultGatewayClass, Gateway: defaultIstioGateway.String(), Service: defaultGatewayService.String()}
+		visConfig[v1alpha1.IngressVisibilityClusterLocal] = visibilityValue{GatewayClass: defaultGatewayClass, Gateway: defaultIstioLocalGateway.String(), Service: defaultLocalGatewayService.String()}
+	} else {
+		if err := yaml.Unmarshal([]byte(v), &visConfig); err != nil {
+			return nil, err
+		}
+
+		for _, vis := range []v1alpha1.IngressVisibility{
+			v1alpha1.IngressVisibilityClusterLocal,
+			v1alpha1.IngressVisibilityExternalIP,
+		} {
+			if _, ok := visConfig[vis]; !ok {
+				return nil, fmt.Errorf("visibility %q must not be empty", vis)
+			}
 		}
-	}
 
+	}
 	entry := make(map[v1alpha1.IngressVisibility]GatewayConfig)
 	for key, value := range visConfig {
 		// Check that the visibility makes sense.
@@ -127,7 +134,8 @@ func NewGatewayFromConfigMap(configMap *corev1.ConfigMap) (*Gateway, error) {
 			Service:      service,
 		}
 	}
-	return &Gateway{Gateways: entry}, nil
+
+	return &Gateway{Gateways: entry, DefaultTLSSecret: defaultTLSSecret}, nil
 }
 
 func parseNamespacedName(namespacedName string) (*types.NamespacedName, error) {

diff --git a/pkg/reconciler/ingress/config/gateway_test.go b/pkg/reconciler/ingress/config/gateway_test.go
@@ -17,19 +17,56 @@ limitations under the License.
 package config
 
 import (
+	"strings"
 	"testing"
 
 	. "knative.dev/pkg/configmap/testing"
 )
 
+var badVisibilityEntry = `
+this isn't yaml???
+`
+
+var emptyVisibilityEntry = `
+
+`
+
 func TestGateway(t *testing.T) {
-	cm, example := ConfigMapsFromTestFile(t, GatewayConfigName)
+	cm, example := ConfigMapsFromTestFile(t, GatewayConfigName, defaultTLSSecretKey)
 
 	if _, err := NewGatewayFromConfigMap(cm); err != nil {
 		t.Error("NewContourFromConfigMap(actual) =", err)
 	}
 
+	cm.Data[defaultTLSSecretKey] = "secret-no-namespace"
+	if _, err := NewGatewayFromConfigMap(cm); err == nil {
+		t.Error("NewContourFromConfigMap(actual) with bad defaultTLSSecretKey value did not fail")
+	}
+
+	delete(cm.Data, defaultTLSSecretKey)
+
+	cm.Data[visibilityConfigKey] = badVisibilityEntry
+
+	_, err := NewGatewayFromConfigMap(cm)
+	expectedError := "error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[v1alpha1.IngressVisibility]config.visibilityValu"
+	if err == nil {
+		t.Error("NewContourFromConfigMap(actual) with bad visibility config value did not fail")
+	} else if !strings.Contains(err.Error(), expectedError) {
+		t.Error("NewContourFromConfigMap(actual) with bad visibility config failed with unexpected error message:", err)
+	}
+
+	cm.Data[visibilityConfigKey] = emptyVisibilityEntry
+
+	_, err = NewGatewayFromConfigMap(cm)
+	expectedError = "visibility \"ClusterLocal\" must not be empty"
+	if err == nil {
+		t.Error("NewContourFromConfigMap(actual) with empty visibility config value did not fail")
+	} else if !strings.Contains(err.Error(), expectedError) {
+		t.Error("NewContourFromConfigMap(actual) with empty visibility config value failed with unexpected error message:", err)
+	}
+
 	if _, err := NewGatewayFromConfigMap(example); err != nil {
 		t.Error("NewContourFromConfigMap(example) =", err)
 	}
+
 }
diff --git a/pkg/reconciler/ingress/config/testdata/config-gateway.yaml b/pkg/reconciler/ingress/config/testdata/config-gateway.yaml
@@ -18,6 +18,7 @@ metadata:
   name: config-gateway
   namespace: knative-serving
 data:
+  default-tls-secret: test-ns/test-secret
   _example: |
     ################################
     #                              #
@@ -46,3 +47,9 @@ data:
         class: istio
         gateway: istio-system/knative-local-gateway
         service: istio-system/knative-local-gateway
+
+    # If auto-TLS is disabled fallback to the following certificate
+    #
+    # An operator is required to setup a ReferenceGrant
+    # for this secret to be used
+    default-tls-secret: "some-namespace/some-secret"
diff --git a/pkg/reconciler/ingress/config/zz_generated.deepcopy.go b/pkg/reconciler/ingress/config/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/ingress/ingress.go b/pkg/reconciler/ingress/ingress.go
@@ -121,6 +121,20 @@
 		listeners = append(listeners, l...)
 	}
 
+	if len(listeners) == 0 && gatewayConfig.DefaultTLSSecret != nil {
+		//AutoTLS is not on, but there is a defaultTLSSecret
+		ingressTLS := &v1alpha1.IngressTLS{
+			Hosts:           getExternalVisibilityHostnames(ing),
+			SecretName:      gatewayConfig.DefaultTLSSecret.Name,
+			SecretNamespace: gatewayConfig.DefaultTLSSecret.Namespace,
+		}
+		l, err := c.reconcileTLS(ctx, ingressTLS, ing)
+		if err != nil {
+			return err
+		}
+		listeners = append(listeners, l...)
+	}
+
 	if len(listeners) > 0 {
 		// For now, we only reconcile the external visibility, because there's
 		// no way to provide TLS for internal listeners.
@@ -180,3 +194,18 @@
 	}
 	return false
 }
+
+func getExternalVisibilityHostnames(ing *v1alpha1.Ingress) []string {
+	var hostnames []string
+
+	for _, rule := range ing.Spec.Rules {
+		if rule.Visibility == v1alpha1.IngressVisibilityExternalIP {
+			if rule.Hosts != nil && len(rule.Hosts) > 0 {
+				hostnames = append(hostnames, rule.Hosts...)
+			}
+		}
+	}
+
+	return hostnames
+
+}