last commit

Signed-off-by: Mattia Lavacca <[email protected]>
Kong · Dec 6, 2024 · de488b5 · de488b5
1 parent 5b9efea
commit de488b5
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 63 deletions.
diff --git a/examples/ingress-upstream-tls.yaml b/examples/ingress-upstream-tls.yaml
@@ -43,7 +43,7 @@ metadata:
   name: goecho
   annotations:
     konghq.com/tls-verify: "true"    # Enable TLS verification of the upstream.
-    konghq.com/ca-certificates: "ca" # The CA root certificate secret used for verification.
+    konghq.com/ca-certificates-secret: "ca" # The CA root certificate secret used for verification.
     konghq.com/protocol: "https"     # Has to be either https or tls when TLS verification is enabled.
     konghq.com/host-header: "goecho" # This will make Kong use `goecho` server name when validating server-presented TLS certificate.
 spec:

diff --git a/internal/annotations/annotations.go b/internal/annotations/annotations.go
@@ -41,36 +41,36 @@ const (
 
 	AnnotationPrefix = "konghq.com"
 
-	ConfigurationKey               = "/override"
-	PluginsKey                     = "/plugins"
-	ProtocolKey                    = "/protocol"
-	ProtocolsKey                   = "/protocols"
-	ClientCertKey                  = "/client-cert"
-	StripPathKey                   = "/strip-path"
-	PathKey                        = "/path"
-	HTTPSRedirectCodeKey           = "/https-redirect-status-code"
-	PreserveHostKey                = "/preserve-host"
-	RegexPriorityKey               = "/regex-priority"
-	HostHeaderKey                  = "/host-header"
-	MethodsKey                     = "/methods"
-	SNIsKey                        = "/snis"
-	RequestBuffering               = "/request-buffering"
-	ResponseBuffering              = "/response-buffering"
-	HostAliasesKey                 = "/host-aliases"
-	RegexPrefixKey                 = "/regex-prefix"
-	ConnectTimeoutKey              = "/connect-timeout"
-	WriteTimeoutKey                = "/write-timeout"
-	ReadTimeoutKey                 = "/read-timeout"
-	RetriesKey                     = "/retries"
-	HeadersKey                     = "/headers"
-	HeadersSeparatorKey            = "/headers-separator"
-	PathHandlingKey                = "/path-handling"
-	UserTagKey                     = "/tags"
-	RewriteURIKey                  = "/rewrite"
-	TLSVerifyKey                   = "/tls-verify"
-	TLSVerifyDepthKey              = "/tls-verify-depth"
-	CACertificatesFromSecretKey    = "/ca-certificates-from-secret"
-	CACertificatesFromConfigMapKey = "/ca-certificates-from-configmap"
+	ConfigurationKey            = "/override"
+	PluginsKey                  = "/plugins"
+	ProtocolKey                 = "/protocol"
+	ProtocolsKey                = "/protocols"
+	ClientCertKey               = "/client-cert"
+	StripPathKey                = "/strip-path"
+	PathKey                     = "/path"
+	HTTPSRedirectCodeKey        = "/https-redirect-status-code"
+	PreserveHostKey             = "/preserve-host"
+	RegexPriorityKey            = "/regex-priority"
+	HostHeaderKey               = "/host-header"
+	MethodsKey                  = "/methods"
+	SNIsKey                     = "/snis"
+	RequestBuffering            = "/request-buffering"
+	ResponseBuffering           = "/response-buffering"
+	HostAliasesKey              = "/host-aliases"
+	RegexPrefixKey              = "/regex-prefix"
+	ConnectTimeoutKey           = "/connect-timeout"
+	WriteTimeoutKey             = "/write-timeout"
+	ReadTimeoutKey              = "/read-timeout"
+	RetriesKey                  = "/retries"
+	HeadersKey                  = "/headers"
+	HeadersSeparatorKey         = "/headers-separator"
+	PathHandlingKey             = "/path-handling"
+	UserTagKey                  = "/tags"
+	RewriteURIKey               = "/rewrite"
+	TLSVerifyKey                = "/tls-verify"
+	TLSVerifyDepthKey           = "/tls-verify-depth"
+	CACertificatesSecretsKey    = "/ca-certificates-secret"
+	CACertificatesConfigMapsKey = "/ca-certificates-configmap"
 
 	// GatewayClassUnmanagedKey is an annotation used on a Gateway resource to
 	// indicate that the GatewayClass should be reconciled according to unmanaged
@@ -399,15 +399,15 @@ func ExtractTLSVerifyDepth(anns map[string]string) (int, bool) {
 // ExtractCACertificatesFromSecrets extracts the ca-certificates secret names from the annotation.
 // It expects a comma-separated list of certificate names.
 func ExtractCACertificatesFromSecrets(anns map[string]string) []string {
-	s, ok := anns[AnnotationPrefix+CACertificatesFromSecretKey]
+	s, ok := anns[AnnotationPrefix+CACertificatesSecretsKey]
 	if !ok {
 		return nil
 	}
 	return extractCommaDelimitedStrings(s)
 }
 
 func ExtractCACertificatesFromConfigMap(anns map[string]string) []string {
-	s, ok := anns[AnnotationPrefix+CACertificatesFromConfigMapKey]
+	s, ok := anns[AnnotationPrefix+CACertificatesConfigMapsKey]
 	if !ok {
 		return nil
 	}
@@ -457,11 +457,11 @@ func SetTLSVerify(anns map[string]string, value bool) {
 
 // SetCACertificates merge the ca-certificates secret names into the already existing CA certificates set via annotation.
 func SetCACertificates(anns map[string]string, certificates []string) {
-	existingCACerts := anns[AnnotationPrefix+CACertificatesFromConfigMapKey]
+	existingCACerts := anns[AnnotationPrefix+CACertificatesConfigMapsKey]
 	if existingCACerts == "" {
-		anns[AnnotationPrefix+CACertificatesFromConfigMapKey] = strings.Join(certificates, ",")
+		anns[AnnotationPrefix+CACertificatesConfigMapsKey] = strings.Join(certificates, ",")
 	} else {
-		anns[AnnotationPrefix+CACertificatesFromConfigMapKey] = existingCACerts + "," + strings.Join(certificates, ",")
+		anns[AnnotationPrefix+CACertificatesConfigMapsKey] = existingCACerts + "," + strings.Join(certificates, ",")
 	}
 }
 
@@ -474,3 +474,8 @@ func SetHostHeader(anns map[string]string, value string) {
 func SetProtocol(anns map[string]string, value string) {
 	anns[AnnotationPrefix+ProtocolKey] = value
 }
+
+// SetTLSVerifyDepth sets the tls-verify-depth annotation value.
+func SetTLSVerifyDepth(anns map[string]string, depth int) {
+	anns[AnnotationPrefix+TLSVerifyDepthKey] = strconv.Itoa(depth)
+}
diff --git a/internal/annotations/annotations_test.go b/internal/annotations/annotations_test.go
@@ -1112,13 +1112,13 @@ func TestExtractCACertificates(t *testing.T) {
 	v = ExtractCACertificatesFromSecrets(map[string]string{})
 	assert.Empty(t, v)
 
-	v = ExtractCACertificatesFromSecrets(map[string]string{AnnotationPrefix + CACertificatesFromSecretKey: "foo,bar"})
+	v = ExtractCACertificatesFromSecrets(map[string]string{AnnotationPrefix + CACertificatesSecretsKey: "foo,bar"})
 	assert.Equal(t, []string{"foo", "bar"}, v, "expected to split by comma")
 
-	v = ExtractCACertificatesFromSecrets(map[string]string{AnnotationPrefix + CACertificatesFromSecretKey: " foo, bar ,baz "})
+	v = ExtractCACertificatesFromSecrets(map[string]string{AnnotationPrefix + CACertificatesSecretsKey: " foo, bar ,baz "})
 	assert.Equal(t, []string{"foo", "bar", "baz"}, v, "expected to trim spaces")
 
-	v = ExtractCACertificatesFromSecrets(map[string]string{AnnotationPrefix + CACertificatesFromSecretKey: "foo, bar,  "})
+	v = ExtractCACertificatesFromSecrets(map[string]string{AnnotationPrefix + CACertificatesSecretsKey: "foo, bar,  "})
 	assert.Equal(t, []string{"foo", "bar"}, v, "expected to ignore empty values")
 }
 

diff --git a/internal/dataplane/translator/ingressrules.go b/internal/dataplane/translator/ingressrules.go
@@ -2,6 +2,7 @@ package translator
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -146,6 +147,29 @@ func (ir *ingressRules) handleBackendTLSPolices(
 			return string(ref.Name)
 		}),
 	)
+	if depth, ok := getTLSVerifyDepthOption(policy.Spec.Options); ok {
+		annotations.SetTLSVerifyDepth(k8sService.Annotations, depth)
+	}
+}
+
+func getTLSVerifyDepthOption(options map[gatewayapi.AnnotationKey]gatewayapi.AnnotationValue) (int, bool) {
+	// If the annotation is not set, return no depth.
+	depthStr, ok := options[annotations.TLSVerifyDepthKey]
+	if !ok {
+		return 0, false
+	}
+
+	// If the annotation is not an int, return no depth.
+	depth, err := strconv.Atoi(string(depthStr))
+	if err != nil {
+		return 0, false
+	}
+	// If the annotation is < 0, return no depth.
+	if depth < 0 {
+		return 0, false
+	}
+
+	return depth, true
 }
 
 func (ir *ingressRules) handleServiceClientCertificates(

diff --git a/internal/dataplane/translator/ingressrules_test.go b/internal/dataplane/translator/ingressrules_test.go
@@ -654,9 +654,9 @@ func TestPopulateServices(t *testing.T) {
 						Name:      "s-1",
 						Namespace: "test-namespace",
 						Annotations: map[string]string{
-							annotations.AnnotationPrefix + annotations.ProtocolKey:                 "https",
-							annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-							annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca-1,ca-2",
+							annotations.AnnotationPrefix + annotations.ProtocolKey:              "https",
+							annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+							annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca-1,ca-2",
 						},
 					},
 				},
@@ -717,8 +717,8 @@ func TestPopulateServices(t *testing.T) {
 						Name:      "s-1",
 						Namespace: "test-namespace",
 						Annotations: map[string]string{
-							annotations.AnnotationPrefix + annotations.ProtocolKey:                 "https",
-							annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca-1,ca-2",
+							annotations.AnnotationPrefix + annotations.ProtocolKey:              "https",
+							annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca-1,ca-2",
 						},
 					},
 				},
@@ -773,9 +773,9 @@ func TestPopulateServices(t *testing.T) {
 						Name:      "s-1",
 						Namespace: "test-namespace",
 						Annotations: map[string]string{
-							annotations.AnnotationPrefix + annotations.ProtocolKey:                 "https",
-							annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-							annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca-not-existing",
+							annotations.AnnotationPrefix + annotations.ProtocolKey:              "https",
+							annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+							annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca-not-existing",
 						},
 					},
 				},
@@ -807,9 +807,9 @@ func TestPopulateServices(t *testing.T) {
 						Name:      "s-1",
 						Namespace: "test-namespace",
 						Annotations: map[string]string{
-							annotations.AnnotationPrefix + annotations.ProtocolKey:                 "https",
-							annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-							annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca-1",
+							annotations.AnnotationPrefix + annotations.ProtocolKey:              "https",
+							annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+							annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca-1",
 						},
 					},
 				},
@@ -853,9 +853,9 @@ func TestPopulateServices(t *testing.T) {
 						Name:      "s-1",
 						Namespace: "test-namespace",
 						Annotations: map[string]string{
-							annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-							annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca-1",
-							annotations.AnnotationPrefix + annotations.ProtocolKey:                 "grpc",
+							annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+							annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca-1",
+							annotations.AnnotationPrefix + annotations.ProtocolKey:              "grpc",
 						},
 					},
 				},
@@ -900,8 +900,8 @@ func TestPopulateServices(t *testing.T) {
 						Name:      "s-1",
 						Namespace: "test-namespace",
 						Annotations: map[string]string{
-							annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-							annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca-1",
+							annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+							annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca-1",
 						},
 					},
 				},

diff --git a/internal/dataplane/translator/translator_test.go b/internal/dataplane/translator/translator_test.go
@@ -5295,10 +5295,10 @@ func TestTranslator_IngressUpstreamTLSVerification(t *testing.T) {
 					Name:      "svc",
 					Namespace: "ns",
 					Annotations: map[string]string{
-						annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-						annotations.AnnotationPrefix + annotations.TLSVerifyDepthKey:           "2",
-						annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: "ca",
-						annotations.AnnotationPrefix + annotations.ProtocolKey:                 "https",
+						annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+						annotations.AnnotationPrefix + annotations.TLSVerifyDepthKey:        "2",
+						annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: "ca",
+						annotations.AnnotationPrefix + annotations.ProtocolKey:              "https",
 					},
 				},
 				Spec: corev1.ServiceSpec{

diff --git a/internal/gatewayapi/aliases.go b/internal/gatewayapi/aliases.go
@@ -18,6 +18,8 @@ var (
 
 type (
 	AllowedRoutes                             = gatewayv1.AllowedRoutes
+	AnnotationKey                             = gatewayv1.AnnotationKey
+	AnnotationValue                           = gatewayv1.AnnotationValue
 	BackendObjectReference                    = gatewayv1.BackendObjectReference
 	BackendRef                                = gatewayv1.BackendRef
 	CommonRouteSpec                           = gatewayv1.CommonRouteSpec

diff --git a/test/integration/isolated/ingress_verify_upstream_tls_test.go b/test/integration/isolated/ingress_verify_upstream_tls_test.go
@@ -195,10 +195,10 @@ func TestIngressVerifyUpstreamTLS(t *testing.T) {
 
 			t.Logf("Setting up service annotations for TLS verification")
 			service.Annotations = map[string]string{
-				annotations.AnnotationPrefix + annotations.ProtocolKey:                 "https", // Only https or tls are supported.
-				annotations.AnnotationPrefix + annotations.TLSVerifyKey:                "true",
-				annotations.AnnotationPrefix + annotations.CACertificatesFromSecretKey: strings.Join([]string{caSecretName, anotherCASecretName}, ","),
-				annotations.AnnotationPrefix + annotations.TLSVerifyDepthKey:           "0", // First, we'll set it to 0 to make sure it fails.
+				annotations.AnnotationPrefix + annotations.ProtocolKey:              "https", // Only https or tls are supported.
+				annotations.AnnotationPrefix + annotations.TLSVerifyKey:             "true",
+				annotations.AnnotationPrefix + annotations.CACertificatesSecretsKey: strings.Join([]string{caSecretName, anotherCASecretName}, ","),
+				annotations.AnnotationPrefix + annotations.TLSVerifyDepthKey:        "0", // First, we'll set it to 0 to make sure it fails.
 			}
 			service, err = cluster.Client().CoreV1().Services(ns).Create(ctx, service, metav1.CreateOptions{})
 			assert.NoError(t, err)