You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by zh...@apache.org on 2023/03/15 01:20:23 UTC
[apisix-ingress-controller] branch master updated: feat: ApisixTls suuport ingressClass (#1714)
This is an automated email from the ASF dual-hosted git repository.
zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new 3abe8af8 feat: ApisixTls suuport ingressClass (#1714)
3abe8af8 is described below
commit 3abe8af8a7db8f12fa4b3016ab794716da08fe8a
Author: Xin Rong <al...@gmail.com>
AuthorDate: Wed Mar 15 09:20:16 2023 +0800
feat: ApisixTls suuport ingressClass (#1714)
---
pkg/kube/apisix/apis/config/v2/types.go | 6 +
pkg/providers/apisix/apisix_tls.go | 21 ++++
pkg/providers/apisix/apisix_upstream.go | 9 +-
samples/deploy/crd/v1/ApisixTls.yaml | 2 +
test/e2e/scaffold/ssl.go | 11 +-
.../suite-ingress-features/ingress-class.go | 133 +++++++++++++++++++++
6 files changed, 177 insertions(+), 5 deletions(-)
diff --git a/pkg/kube/apisix/apis/config/v2/types.go b/pkg/kube/apisix/apis/config/v2/types.go
index fbbfb5ce..d7d717d2 100644
--- a/pkg/kube/apisix/apis/config/v2/types.go
+++ b/pkg/kube/apisix/apis/config/v2/types.go
@@ -730,6 +730,12 @@ type HostType string
// ApisixTlsSpec is the specification of ApisixSSL.
type ApisixTlsSpec struct {
+ // IngressClassName is the name of an IngressClass cluster resource.
+ // controller implementations use this field to know whether they should be
+ // serving this ApisixTls resource, by a transitive connection
+ // (controller -> IngressClass -> ApisixTls resource).
+ // +optional
+ IngressClassName string `json:"ingressClassName,omitempty" yaml:"ingressClassName,omitempty"`
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinItems=1
diff --git a/pkg/providers/apisix/apisix_tls.go b/pkg/providers/apisix/apisix_tls.go
index d10f5ca0..2a432604 100644
--- a/pkg/providers/apisix/apisix_tls.go
+++ b/pkg/providers/apisix/apisix_tls.go
@@ -284,6 +284,9 @@ func (c *apisixTlsController) onAdd(obj interface{}) {
if !c.namespaceProvider.IsWatchingNamespace(key) {
return
}
+ if !c.isEffective(tls) {
+ return
+ }
log.Debugw("ApisixTls add event arrived",
zap.Any("object", obj),
)
@@ -320,6 +323,9 @@ func (c *apisixTlsController) onUpdate(prev, curr interface{}) {
if !c.namespaceProvider.IsWatchingNamespace(key) {
return
}
+ if !c.isEffective(newTls) {
+ return
+ }
log.Debugw("ApisixTls update event arrived",
zap.Any("new object", curr),
zap.Any("old object", prev),
@@ -357,6 +363,9 @@ func (c *apisixTlsController) onDelete(obj interface{}) {
if !c.namespaceProvider.IsWatchingNamespace(key) {
return
}
+ if !c.isEffective(tls) {
+ return
+ }
log.Debugw("ApisixTls delete event arrived",
zap.Any("final state", obj),
)
@@ -655,3 +664,15 @@ func (c *apisixTlsController) syncSSLsAndUpdateStatusV2(ctx context.Context, ev
return true
}
}
+
+func (c *apisixTlsController) isEffective(atls kube.ApisixTls) bool {
+ if atls.GroupVersion() == config.ApisixV2 {
+ var ingClassName string
+ if atls.V2().Spec != nil {
+ ingClassName = atls.V2().Spec.IngressClassName
+ }
+ return utils.MatchCRDsIngressClass(ingClassName, c.Kubernetes.IngressClass)
+ }
+ // Compatible with legacy versions
+ return true
+}
diff --git a/pkg/providers/apisix/apisix_upstream.go b/pkg/providers/apisix/apisix_upstream.go
index dbe6b7e8..e13ed0ad 100644
--- a/pkg/providers/apisix/apisix_upstream.go
+++ b/pkg/providers/apisix/apisix_upstream.go
@@ -659,7 +659,10 @@ func (c *apisixUpstreamController) ResourceSync() {
au, err := kube.NewApisixUpstream(obj)
if err != nil {
log.Errorw("ApisixUpstream sync failed, found ApisixUpstream resource with bad type", zap.Error(err))
- return
+ continue
+ }
+ if !c.isEffective(au) {
+ continue
}
c.workqueue.Add(&types.Event{
Type: types.EventAdd,
@@ -878,9 +881,11 @@ func (c *apisixUpstreamController) recordStatus(at interface{}, reason string, e
func (c *apisixUpstreamController) isEffective(au kube.ApisixUpstream) bool {
if au.GroupVersion() == config.ApisixV2 {
+ var ingClassName string
if au.V2().Spec != nil {
- return utils.MatchCRDsIngressClass(au.V2().Spec.IngressClassName, c.Kubernetes.IngressClass)
+ ingClassName = au.V2().Spec.IngressClassName
}
+ return utils.MatchCRDsIngressClass(ingClassName, c.Kubernetes.IngressClass)
}
// Compatible with legacy versions
return true
diff --git a/samples/deploy/crd/v1/ApisixTls.yaml b/samples/deploy/crd/v1/ApisixTls.yaml
index 202e8c02..5cd39e87 100644
--- a/samples/deploy/crd/v1/ApisixTls.yaml
+++ b/samples/deploy/crd/v1/ApisixTls.yaml
@@ -231,6 +231,8 @@ spec:
- hosts
- secret
properties:
+ ingressClassName:
+ type: string
client:
description: ApisixMutualTlsClientConfig describes the mutual TLS
CA and verify depth
diff --git a/test/e2e/scaffold/ssl.go b/test/e2e/scaffold/ssl.go
index ae171086..242f1d95 100644
--- a/test/e2e/scaffold/ssl.go
+++ b/test/e2e/scaffold/ssl.go
@@ -55,6 +55,7 @@ kind: ApisixTls
metadata:
name: %s
spec:
+ %s
hosts:
- %s
secret:
@@ -113,8 +114,12 @@ func (s *Scaffold) NewClientCASecret(name, cert, key string) error {
}
// NewApisixTls new a ApisixTls CRD
-func (s *Scaffold) NewApisixTls(name, host, secretName string) error {
- tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, name, host, secretName, s.kubectlOptions.Namespace)
+func (s *Scaffold) NewApisixTls(name, host, secretName string, ingressClassName ...string) error {
+ var ingClassName string
+ if len(ingressClassName) > 0 {
+ ingClassName = "ingressClassName: " + ingressClassName[0]
+ }
+ tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, name, ingClassName, host, secretName, s.kubectlOptions.Namespace)
if err := s.CreateResourceFromString(tls); err != nil {
return err
}
@@ -132,7 +137,7 @@ func (s *Scaffold) NewApisixTlsWithClientCA(name, host, secretName, clientCASecr
// DeleteApisixTls remove ApisixTls CRD
func (s *Scaffold) DeleteApisixTls(name string, host, secretName string) error {
- tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, name, host, secretName, s.kubectlOptions.Namespace)
+ tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, name, "", host, secretName, s.kubectlOptions.Namespace)
if err := k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, tls); err != nil {
return err
}
diff --git a/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go b/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go
index a61a0a41..580d0bed 100644
--- a/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go
+++ b/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go
@@ -25,6 +25,57 @@ import (
"github.com/apache/apisix-ingress-controller/test/e2e/scaffold"
)
+const (
+ _secretName = "test-apisix-tls"
+ _cert = `-----BEGIN CERTIFICATE-----
+MIIDSjCCAjICCQC/34ZwGz7ZXjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJD
+TjEQMA4GA1UECAwHSmlhbmdzdTEPMA0GA1UEBwwGU3V6aG91MQ8wDQYDVQQKDAZ6
+aGlsaXUxEDAOBgNVBAsMB3NlY3Rpb24xETAPBgNVBAMMCHRlc3QuY29tMCAXDTIx
+MDIwMzE0MjkwOVoYDzIwNTEwMTI3MTQyOTA5WjBmMQswCQYDVQQGEwJDTjEQMA4G
+A1UECAwHSmlhbmdzdTEPMA0GA1UEBwwGU3V6aG91MQ8wDQYDVQQKDAZ6aGlsaXUx
+EDAOBgNVBAsMB3NlY3Rpb24xETAPBgNVBAMMCHRlc3QuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3DEQ5K9PVYicINTHt3arqrsrftrhotyBuGqM
+xxqGMVO/E2SAa/81fC1UCcjYV4Wila0kl8i5fa8HjtVm5UWlrqxeFLOS3E0Wv2QY
+w46BGZJY4InE9zKwYyC2DkBxE6p14JRjmtW/MQPNaOFjJ4bmCuRHsEzmQIGRM0b7
+oKHjfFwv6l7BahgGf9ShHOMdHSkgWj6+2RU3282lrO9bY1JBTKu2Znv9M79nu1Px
+Tn1wCfcuCwA7WQT/QSrE2R43I2vmbIbuSmeg9ivjMazRYQQ+qxQn/6zhiHvP3QZG
+dKmp8imdYi+r84PKOLDEe/yxlgIdr2Au5WCPWwyYMYPWHzeD1wIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQBYzNe83mPVuz96TZ3fmxtOIuz9b6q5JWiJiOzjAD9902Se
+TNYzMM6T/5e0dBpj8Z2qQlhkfNxJJgTwGEE8SdrZIr8DhswR9a0bXDCZjLatCdeU
+iYpt+TDAuySnLhAcd3GfE5ml6am2dOsOKpxHU/8clUSaz+21fckRopWo+xL6rSVC
+4vvKqiU+LWLTZPQNoOqowl7bxoQO2jMWfN/5zvQOFxAbEufIPa9ti3qonDCXbkYn
+PpET/mPDrcb4bGsZkW/cu0LrPSUVp12br5TAYaXqYS0Ex+jAVTXML9SeEQuvU3dH
+5Uw2wVHxQXHglsdCYUXXFd3HZffb4rSQH+Mk0CBI
+-----END CERTIFICATE-----`
+ _key = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA3DEQ5K9PVYicINTHt3arqrsrftrhotyBuGqMxxqGMVO/E2SA
+a/81fC1UCcjYV4Wila0kl8i5fa8HjtVm5UWlrqxeFLOS3E0Wv2QYw46BGZJY4InE
+9zKwYyC2DkBxE6p14JRjmtW/MQPNaOFjJ4bmCuRHsEzmQIGRM0b7oKHjfFwv6l7B
+ahgGf9ShHOMdHSkgWj6+2RU3282lrO9bY1JBTKu2Znv9M79nu1PxTn1wCfcuCwA7
+WQT/QSrE2R43I2vmbIbuSmeg9ivjMazRYQQ+qxQn/6zhiHvP3QZGdKmp8imdYi+r
+84PKOLDEe/yxlgIdr2Au5WCPWwyYMYPWHzeD1wIDAQABAoIBAQDGmSKpgE1H0k0v
+d3siyFART3vtkLHOWKBPmxqaQhwixWwjq5QA1FCDTcbshFBMsGVyJpZIqGxVJdbl
+RyjlRaooH6NDfKvLM2R+/2Mujot2av7qlpgmdXuODOTnecwDds2W33/vGTa2mL1e
+CVuLPSqjTD40j0dlivdRjoZJ3Xn2oOrpZ812XU8KeZAjuSEAwcyl2nSbyLGDchBB
+kfYZold3FaaLAf2LoVJ2fs+FwEPzDKoNYEvij9OyC0kwI94T5jQ+Z6XGtHXhb2Hy
+Ek3EZeIhV3YcDIid5AjSvcrNtDI24hwszSmhYVc53EKYkpXHf581a3U/SEEhXDlw
+Y0x6j9QRAoGBAPEP0LDgP7DGXxno4h+nf0AMru0pxlrNVQhLcNQB+dYI0pFTwsg+
+AKenoaaE/EGR1KfiY0uf3rVWNrA5kyX1/i18iJx9LSf9NvNgMo84JVvXINgyE6sd
+hvdqxFlV5FBnh8b7ldvYQy3YI0EQNx+/rmeUYPjInbkdiksAtAey4ADNAoGBAOnW
+K0FoX1ljq3rc9uVasiRi6Ix50NHdZ17RcEpMgwWPenbP1aiWkvA8yFhU708lBaZC
+WIUZ6XbfiG0Y9cMtxhtikoouDs5Ifia8juZ2bhkmSGP2FvZCBJJ/sHhnhpzSZNhW
+SyLBUjnynoXwHoQvkoGnVTHAk1VsY7jLNJdr2MczAoGAMYvMmu4caRr8pPimsVbd
+4q44reouKK+XUJMg55JYZVN+4/vRRxLnU44yvWUL6/YrPS5ctkhvn9nOd739rom2
+6mZ0NaXMyDFVQAR/n8wscYnv6D+ypzL0cJnzLWFoAdalo5JGJN94P03zQQYyLkZZ
+dFSc8cVaFZgqumu0lPiA7ekCgYEAiMeVL8Jcm84YXVrpNMmzkGMmwhzzT/8hWy5J
+b7yHm3YM3Xi+8sl5E/uJ+VldTj9KqbD/VIQOs1EX3TEPeObKjfQ/4YIFeRagbAo5
+0IcP6bgh+g7V6aA+Sm9Ui2mLLSpIgN8hPig0796CabhGMW4eVabKx7pstDgdsNd0
+YOpduE8CgYEAu9k9WOQuRX4f6i5LBIxyaYn6Hw6oJn8e/w+p2+HNBXdyVQNqUHBG
+V5rgnBwhc5LeIFbehKvQOvYSWbwbA1VunMpdYgV6+EBLayumJNqV6jGei4okx2of
+wrw7im4TNSAdwVX4Y1F4svJ2as5SJn5QYGAzXDixNuwzXYrpP9rzA2s=
+-----END RSA PRIVATE KEY-----`
+)
+
var _ = ginkgo.Describe("suite-ingress-features: Testing CRDs with IngressClass", func() {
s := scaffold.NewScaffold(&scaffold.Options{
Name: "ingress-class",
@@ -284,6 +335,50 @@ spec:
resp.Status(http.StatusOK)
resp.Body().IsEqual("my custom body")
})
+
+ ginkgo.It("ApisiTls should be handled", func() {
+ err := s.NewSecret(_secretName, _cert, _key)
+ assert.Nil(ginkgo.GinkgoT(), err, "create secret error")
+ // create ApisixTls resource without ingressClassName
+ tlsName := "tls-name"
+ host := "api6.com"
+ err = s.NewApisixTls(tlsName, host, _secretName)
+ assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+ time.Sleep(6 * time.Second)
+
+ // check ssl in APISIX
+ tls, err := s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+ assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+ assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host, "tls host is error")
+
+ // update ApisixTls resource with ingressClassName: apisix
+ host2 := "api7.com"
+ err = s.NewApisixTls(tlsName, host2, _secretName, "apisix")
+ assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+ time.Sleep(6 * time.Second)
+
+ // check ssl in APISIX
+ tls, err = s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+ assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+ assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host2, "tls host is error")
+ })
+
+ ginkgo.It("ApisiTls should be ignored", func() {
+ err := s.NewSecret(_secretName, _cert, _key)
+ assert.Nil(ginkgo.GinkgoT(), err, "create secret error")
+ // create ApisixTls resource with ingressClassName: ignored
+ tlsName := "tls-name"
+ host := "api6.com"
+ err = s.NewApisixTls(tlsName, host, _secretName, "ignored")
+ assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+ time.Sleep(6 * time.Second)
+ // check ssl in APISIX
+ tls, err := s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+ assert.Len(ginkgo.GinkgoT(), tls, 0, "tls number not expect")
+ })
})
var _ = ginkgo.Describe("suite-ingress-features: Testing CRDs with IngressClass apisix-and-all", func() {
@@ -470,4 +565,42 @@ spec:
resp.Status(http.StatusOK)
resp.Body().IsEqual("my custom body")
})
+
+ ginkgo.It("ApisiTls should be handled", func() {
+ err := s.NewSecret(_secretName, _cert, _key)
+ assert.Nil(ginkgo.GinkgoT(), err, "create secret error")
+ // create ApisixTls resource without ingressClassName
+ tlsName := "tls-name"
+ host := "api6.com"
+ err = s.NewApisixTls(tlsName, host, _secretName)
+ assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+ time.Sleep(6 * time.Second)
+ // check ssl in APISIX
+ tls, err := s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+ assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+ assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host, "tls host is error")
+
+ // update ApisixTls resource with ingressClassName: apisix
+ host2 := "api7.com"
+ err = s.NewApisixTls(tlsName, host2, _secretName, "apisix")
+ assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+ time.Sleep(6 * time.Second)
+ // check ssl in APISIX
+ tls, err = s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+ assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+ assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host2, "tls host is error")
+
+ // update ApisixTls resource with ingressClassName: watch
+ host3 := "api7.org"
+ err = s.NewApisixTls(tlsName, host3, _secretName, "watch")
+ assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+ time.Sleep(6 * time.Second)
+ // check ssl in APISIX
+ tls, err = s.ListApisixSsl()
+ assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+ assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+ assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host3, "tls host is error")
+ })
})