[apisix-ingress-controller] branch master updated: feat: ApisixTls suuport ingressClass (#1714)

Tue, 14 Mar 2023 18:20:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git


The following commit(s) were added to refs/heads/master by this push:
     new 3abe8af8 feat: ApisixTls suuport ingressClass (#1714)
3abe8af8 is described below

commit 3abe8af8a7db8f12fa4b3016ab794716da08fe8a
Author: Xin Rong <[email protected]>
AuthorDate: Wed Mar 15 09:20:16 2023 +0800

    feat: ApisixTls suuport ingressClass (#1714)
---
 pkg/kube/apisix/apis/config/v2/types.go            |   6 +
 pkg/providers/apisix/apisix_tls.go                 |  21 ++++
 pkg/providers/apisix/apisix_upstream.go            |   9 +-
 samples/deploy/crd/v1/ApisixTls.yaml               |   2 +
 test/e2e/scaffold/ssl.go                           |  11 +-
 .../suite-ingress-features/ingress-class.go        | 133 +++++++++++++++++++++
 6 files changed, 177 insertions(+), 5 deletions(-)

diff --git a/pkg/kube/apisix/apis/config/v2/types.go 
b/pkg/kube/apisix/apis/config/v2/types.go
index fbbfb5ce..d7d717d2 100644
--- a/pkg/kube/apisix/apis/config/v2/types.go
+++ b/pkg/kube/apisix/apis/config/v2/types.go
@@ -730,6 +730,12 @@ type HostType string
 
 // ApisixTlsSpec is the specification of ApisixSSL.
 type ApisixTlsSpec struct {
+       // IngressClassName is the name of an IngressClass cluster resource.
+       // controller implementations use this field to know whether they 
should be
+       // serving this ApisixTls resource, by a transitive connection
+       // (controller -> IngressClass -> ApisixTls resource).
+       // +optional
+       IngressClassName string `json:"ingressClassName,omitempty" 
yaml:"ingressClassName,omitempty"`
        // +required
        // +kubebuilder:validation:Required
        // +kubebuilder:validation:MinItems=1
diff --git a/pkg/providers/apisix/apisix_tls.go 
b/pkg/providers/apisix/apisix_tls.go
index d10f5ca0..2a432604 100644
--- a/pkg/providers/apisix/apisix_tls.go
+++ b/pkg/providers/apisix/apisix_tls.go
@@ -284,6 +284,9 @@ func (c *apisixTlsController) onAdd(obj interface{}) {
        if !c.namespaceProvider.IsWatchingNamespace(key) {
                return
        }
+       if !c.isEffective(tls) {
+               return
+       }
        log.Debugw("ApisixTls add event arrived",
                zap.Any("object", obj),
        )
@@ -320,6 +323,9 @@ func (c *apisixTlsController) onUpdate(prev, curr 
interface{}) {
        if !c.namespaceProvider.IsWatchingNamespace(key) {
                return
        }
+       if !c.isEffective(newTls) {
+               return
+       }
        log.Debugw("ApisixTls update event arrived",
                zap.Any("new object", curr),
                zap.Any("old object", prev),
@@ -357,6 +363,9 @@ func (c *apisixTlsController) onDelete(obj interface{}) {
        if !c.namespaceProvider.IsWatchingNamespace(key) {
                return
        }
+       if !c.isEffective(tls) {
+               return
+       }
        log.Debugw("ApisixTls delete event arrived",
                zap.Any("final state", obj),
        )
@@ -655,3 +664,15 @@ func (c *apisixTlsController) 
syncSSLsAndUpdateStatusV2(ctx context.Context, ev
                return true
        }
 }
+
+func (c *apisixTlsController) isEffective(atls kube.ApisixTls) bool {
+       if atls.GroupVersion() == config.ApisixV2 {
+               var ingClassName string
+               if atls.V2().Spec != nil {
+                       ingClassName = atls.V2().Spec.IngressClassName
+               }
+               return utils.MatchCRDsIngressClass(ingClassName, 
c.Kubernetes.IngressClass)
+       }
+       // Compatible with legacy versions
+       return true
+}
diff --git a/pkg/providers/apisix/apisix_upstream.go 
b/pkg/providers/apisix/apisix_upstream.go
index dbe6b7e8..e13ed0ad 100644
--- a/pkg/providers/apisix/apisix_upstream.go
+++ b/pkg/providers/apisix/apisix_upstream.go
@@ -659,7 +659,10 @@ func (c *apisixUpstreamController) ResourceSync() {
                au, err := kube.NewApisixUpstream(obj)
                if err != nil {
                        log.Errorw("ApisixUpstream sync failed, found 
ApisixUpstream resource with bad type", zap.Error(err))
-                       return
+                       continue
+               }
+               if !c.isEffective(au) {
+                       continue
                }
                c.workqueue.Add(&types.Event{
                        Type: types.EventAdd,
@@ -878,9 +881,11 @@ func (c *apisixUpstreamController) recordStatus(at 
interface{}, reason string, e
 
 func (c *apisixUpstreamController) isEffective(au kube.ApisixUpstream) bool {
        if au.GroupVersion() == config.ApisixV2 {
+               var ingClassName string
                if au.V2().Spec != nil {
-                       return 
utils.MatchCRDsIngressClass(au.V2().Spec.IngressClassName, 
c.Kubernetes.IngressClass)
+                       ingClassName = au.V2().Spec.IngressClassName
                }
+               return utils.MatchCRDsIngressClass(ingClassName, 
c.Kubernetes.IngressClass)
        }
        // Compatible with legacy versions
        return true
diff --git a/samples/deploy/crd/v1/ApisixTls.yaml 
b/samples/deploy/crd/v1/ApisixTls.yaml
index 202e8c02..5cd39e87 100644
--- a/samples/deploy/crd/v1/ApisixTls.yaml
+++ b/samples/deploy/crd/v1/ApisixTls.yaml
@@ -231,6 +231,8 @@ spec:
                 - hosts
                 - secret
               properties:
+                ingressClassName:
+                  type: string
                 client:
                   description: ApisixMutualTlsClientConfig describes the 
mutual TLS
                     CA and verify depth
diff --git a/test/e2e/scaffold/ssl.go b/test/e2e/scaffold/ssl.go
index ae171086..242f1d95 100644
--- a/test/e2e/scaffold/ssl.go
+++ b/test/e2e/scaffold/ssl.go
@@ -55,6 +55,7 @@ kind: ApisixTls
 metadata:
   name: %s
 spec:
+  %s
   hosts:
   - %s
   secret:
@@ -113,8 +114,12 @@ func (s *Scaffold) NewClientCASecret(name, cert, key 
string) error {
 }
 
 // NewApisixTls new a ApisixTls CRD
-func (s *Scaffold) NewApisixTls(name, host, secretName string) error {
-       tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, 
name, host, secretName, s.kubectlOptions.Namespace)
+func (s *Scaffold) NewApisixTls(name, host, secretName string, 
ingressClassName ...string) error {
+       var ingClassName string
+       if len(ingressClassName) > 0 {
+               ingClassName = "ingressClassName: " + ingressClassName[0]
+       }
+       tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, 
name, ingClassName, host, secretName, s.kubectlOptions.Namespace)
        if err := s.CreateResourceFromString(tls); err != nil {
                return err
        }
@@ -132,7 +137,7 @@ func (s *Scaffold) NewApisixTlsWithClientCA(name, host, 
secretName, clientCASecr
 
 // DeleteApisixTls remove ApisixTls CRD
 func (s *Scaffold) DeleteApisixTls(name string, host, secretName string) error 
{
-       tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, 
name, host, secretName, s.kubectlOptions.Namespace)
+       tls := fmt.Sprintf(_api6tlsTemplate, s.opts.ApisixResourceVersion, 
name, "", host, secretName, s.kubectlOptions.Namespace)
        if err := k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, tls); err 
!= nil {
                return err
        }
diff --git a/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go 
b/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go
index a61a0a41..580d0bed 100644
--- a/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go
+++ b/test/e2e/suite-ingress/suite-ingress-features/ingress-class.go
@@ -25,6 +25,57 @@ import (
        "github.com/apache/apisix-ingress-controller/test/e2e/scaffold"
 )
 
+const (
+       _secretName = "test-apisix-tls"
+       _cert       = `-----BEGIN CERTIFICATE-----
+MIIDSjCCAjICCQC/34ZwGz7ZXjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJD
+TjEQMA4GA1UECAwHSmlhbmdzdTEPMA0GA1UEBwwGU3V6aG91MQ8wDQYDVQQKDAZ6
+aGlsaXUxEDAOBgNVBAsMB3NlY3Rpb24xETAPBgNVBAMMCHRlc3QuY29tMCAXDTIx
+MDIwMzE0MjkwOVoYDzIwNTEwMTI3MTQyOTA5WjBmMQswCQYDVQQGEwJDTjEQMA4G
+A1UECAwHSmlhbmdzdTEPMA0GA1UEBwwGU3V6aG91MQ8wDQYDVQQKDAZ6aGlsaXUx
+EDAOBgNVBAsMB3NlY3Rpb24xETAPBgNVBAMMCHRlc3QuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3DEQ5K9PVYicINTHt3arqrsrftrhotyBuGqM
+xxqGMVO/E2SAa/81fC1UCcjYV4Wila0kl8i5fa8HjtVm5UWlrqxeFLOS3E0Wv2QY
+w46BGZJY4InE9zKwYyC2DkBxE6p14JRjmtW/MQPNaOFjJ4bmCuRHsEzmQIGRM0b7
+oKHjfFwv6l7BahgGf9ShHOMdHSkgWj6+2RU3282lrO9bY1JBTKu2Znv9M79nu1Px
+Tn1wCfcuCwA7WQT/QSrE2R43I2vmbIbuSmeg9ivjMazRYQQ+qxQn/6zhiHvP3QZG
+dKmp8imdYi+r84PKOLDEe/yxlgIdr2Au5WCPWwyYMYPWHzeD1wIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQBYzNe83mPVuz96TZ3fmxtOIuz9b6q5JWiJiOzjAD9902Se
+TNYzMM6T/5e0dBpj8Z2qQlhkfNxJJgTwGEE8SdrZIr8DhswR9a0bXDCZjLatCdeU
+iYpt+TDAuySnLhAcd3GfE5ml6am2dOsOKpxHU/8clUSaz+21fckRopWo+xL6rSVC
+4vvKqiU+LWLTZPQNoOqowl7bxoQO2jMWfN/5zvQOFxAbEufIPa9ti3qonDCXbkYn
+PpET/mPDrcb4bGsZkW/cu0LrPSUVp12br5TAYaXqYS0Ex+jAVTXML9SeEQuvU3dH
+5Uw2wVHxQXHglsdCYUXXFd3HZffb4rSQH+Mk0CBI
+-----END CERTIFICATE-----`
+       _key = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA3DEQ5K9PVYicINTHt3arqrsrftrhotyBuGqMxxqGMVO/E2SA
+a/81fC1UCcjYV4Wila0kl8i5fa8HjtVm5UWlrqxeFLOS3E0Wv2QYw46BGZJY4InE
+9zKwYyC2DkBxE6p14JRjmtW/MQPNaOFjJ4bmCuRHsEzmQIGRM0b7oKHjfFwv6l7B
+ahgGf9ShHOMdHSkgWj6+2RU3282lrO9bY1JBTKu2Znv9M79nu1PxTn1wCfcuCwA7
+WQT/QSrE2R43I2vmbIbuSmeg9ivjMazRYQQ+qxQn/6zhiHvP3QZGdKmp8imdYi+r
+84PKOLDEe/yxlgIdr2Au5WCPWwyYMYPWHzeD1wIDAQABAoIBAQDGmSKpgE1H0k0v
+d3siyFART3vtkLHOWKBPmxqaQhwixWwjq5QA1FCDTcbshFBMsGVyJpZIqGxVJdbl
+RyjlRaooH6NDfKvLM2R+/2Mujot2av7qlpgmdXuODOTnecwDds2W33/vGTa2mL1e
+CVuLPSqjTD40j0dlivdRjoZJ3Xn2oOrpZ812XU8KeZAjuSEAwcyl2nSbyLGDchBB
+kfYZold3FaaLAf2LoVJ2fs+FwEPzDKoNYEvij9OyC0kwI94T5jQ+Z6XGtHXhb2Hy
+Ek3EZeIhV3YcDIid5AjSvcrNtDI24hwszSmhYVc53EKYkpXHf581a3U/SEEhXDlw
+Y0x6j9QRAoGBAPEP0LDgP7DGXxno4h+nf0AMru0pxlrNVQhLcNQB+dYI0pFTwsg+
+AKenoaaE/EGR1KfiY0uf3rVWNrA5kyX1/i18iJx9LSf9NvNgMo84JVvXINgyE6sd
+hvdqxFlV5FBnh8b7ldvYQy3YI0EQNx+/rmeUYPjInbkdiksAtAey4ADNAoGBAOnW
+K0FoX1ljq3rc9uVasiRi6Ix50NHdZ17RcEpMgwWPenbP1aiWkvA8yFhU708lBaZC
+WIUZ6XbfiG0Y9cMtxhtikoouDs5Ifia8juZ2bhkmSGP2FvZCBJJ/sHhnhpzSZNhW
+SyLBUjnynoXwHoQvkoGnVTHAk1VsY7jLNJdr2MczAoGAMYvMmu4caRr8pPimsVbd
+4q44reouKK+XUJMg55JYZVN+4/vRRxLnU44yvWUL6/YrPS5ctkhvn9nOd739rom2
+6mZ0NaXMyDFVQAR/n8wscYnv6D+ypzL0cJnzLWFoAdalo5JGJN94P03zQQYyLkZZ
+dFSc8cVaFZgqumu0lPiA7ekCgYEAiMeVL8Jcm84YXVrpNMmzkGMmwhzzT/8hWy5J
+b7yHm3YM3Xi+8sl5E/uJ+VldTj9KqbD/VIQOs1EX3TEPeObKjfQ/4YIFeRagbAo5
+0IcP6bgh+g7V6aA+Sm9Ui2mLLSpIgN8hPig0796CabhGMW4eVabKx7pstDgdsNd0
+YOpduE8CgYEAu9k9WOQuRX4f6i5LBIxyaYn6Hw6oJn8e/w+p2+HNBXdyVQNqUHBG
+V5rgnBwhc5LeIFbehKvQOvYSWbwbA1VunMpdYgV6+EBLayumJNqV6jGei4okx2of
+wrw7im4TNSAdwVX4Y1F4svJ2as5SJn5QYGAzXDixNuwzXYrpP9rzA2s=
+-----END RSA PRIVATE KEY-----`
+)
+
 var _ = ginkgo.Describe("suite-ingress-features: Testing CRDs with 
IngressClass", func() {
        s := scaffold.NewScaffold(&scaffold.Options{
                Name:                  "ingress-class",
@@ -284,6 +335,50 @@ spec:
                resp.Status(http.StatusOK)
                resp.Body().IsEqual("my custom body")
        })
+
+       ginkgo.It("ApisiTls should be handled", func() {
+               err := s.NewSecret(_secretName, _cert, _key)
+               assert.Nil(ginkgo.GinkgoT(), err, "create secret error")
+               // create ApisixTls resource without ingressClassName
+               tlsName := "tls-name"
+               host := "api6.com"
+               err = s.NewApisixTls(tlsName, host, _secretName)
+               assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+               time.Sleep(6 * time.Second)
+
+               // check ssl in APISIX
+               tls, err := s.ListApisixSsl()
+               assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+               assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+               assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host, "tls host 
is error")
+
+               // update ApisixTls resource with ingressClassName: apisix
+               host2 := "api7.com"
+               err = s.NewApisixTls(tlsName, host2, _secretName, "apisix")
+               assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+               time.Sleep(6 * time.Second)
+
+               // check ssl in APISIX
+               tls, err = s.ListApisixSsl()
+               assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+               assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+               assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host2, "tls host 
is error")
+       })
+
+       ginkgo.It("ApisiTls should be ignored", func() {
+               err := s.NewSecret(_secretName, _cert, _key)
+               assert.Nil(ginkgo.GinkgoT(), err, "create secret error")
+               // create ApisixTls resource with ingressClassName: ignored
+               tlsName := "tls-name"
+               host := "api6.com"
+               err = s.NewApisixTls(tlsName, host, _secretName, "ignored")
+               assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+               time.Sleep(6 * time.Second)
+               // check ssl in APISIX
+               tls, err := s.ListApisixSsl()
+               assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+               assert.Len(ginkgo.GinkgoT(), tls, 0, "tls number not expect")
+       })
 })
 
 var _ = ginkgo.Describe("suite-ingress-features: Testing CRDs with 
IngressClass apisix-and-all", func() {
@@ -470,4 +565,42 @@ spec:
                resp.Status(http.StatusOK)
                resp.Body().IsEqual("my custom body")
        })
+
+       ginkgo.It("ApisiTls should be handled", func() {
+               err := s.NewSecret(_secretName, _cert, _key)
+               assert.Nil(ginkgo.GinkgoT(), err, "create secret error")
+               // create ApisixTls resource without ingressClassName
+               tlsName := "tls-name"
+               host := "api6.com"
+               err = s.NewApisixTls(tlsName, host, _secretName)
+               assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+               time.Sleep(6 * time.Second)
+               // check ssl in APISIX
+               tls, err := s.ListApisixSsl()
+               assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+               assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+               assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host, "tls host 
is error")
+
+               // update ApisixTls resource with ingressClassName: apisix
+               host2 := "api7.com"
+               err = s.NewApisixTls(tlsName, host2, _secretName, "apisix")
+               assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+               time.Sleep(6 * time.Second)
+               // check ssl in APISIX
+               tls, err = s.ListApisixSsl()
+               assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+               assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+               assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host2, "tls host 
is error")
+
+               // update ApisixTls resource with ingressClassName: watch
+               host3 := "api7.org"
+               err = s.NewApisixTls(tlsName, host3, _secretName, "watch")
+               assert.Nil(ginkgo.GinkgoT(), err, "create tls error")
+               time.Sleep(6 * time.Second)
+               // check ssl in APISIX
+               tls, err = s.ListApisixSsl()
+               assert.Nil(ginkgo.GinkgoT(), err, "list tls error")
+               assert.Len(ginkgo.GinkgoT(), tls, 1, "tls number not expect")
+               assert.Equal(ginkgo.GinkgoT(), tls[0].Snis[0], host3, "tls host 
is error")
+       })
 })

Reply via email to