From 839bec7e4c74560a75248cdb067542691e0a125d Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Thu, 23 Nov 2023 09:27:11 +0100 Subject: [PATCH] Switch IngressTLS helper from equality to contains --- pkg/apis/networking/register.go | 2 +- .../networking/v1alpha1/ingress_helpers.go | 24 +++++++++++-------- .../v1alpha1/ingress_helpers_test.go | 23 ++++++++++++++++++ 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/pkg/apis/networking/register.go b/pkg/apis/networking/register.go index 4a7a82bc4..342560f74 100644 --- a/pkg/apis/networking/register.go +++ b/pkg/apis/networking/register.go @@ -121,7 +121,7 @@ const ( VisibilityLabelKey = PublicGroupName + "/visibility" // CertificateTypeLabelKey is the label to indicate the type of Knative certificate - // used for Knative Serving encryption functionality. + // used for Knative Serving encryption functionality. Corresponding values are defined in config.CertificateType. CertificateTypeLabelKey = PublicGroupName + "/certificate-type" ) diff --git a/pkg/apis/networking/v1alpha1/ingress_helpers.go b/pkg/apis/networking/v1alpha1/ingress_helpers.go index e8ea7c17b..aa2532f94 100644 --- a/pkg/apis/networking/v1alpha1/ingress_helpers.go +++ b/pkg/apis/networking/v1alpha1/ingress_helpers.go @@ -17,12 +17,11 @@ limitations under the License. package v1alpha1 import ( - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" + "slices" ) -// GetIngressTLSForVisibility returns a list of `Spec.TLS` where the `Hosts` field matches -// to `Spec.Rules.Hosts` and where the Rules have the defined ingress visibility. +// GetIngressTLSForVisibility returns a list of `Spec.TLS` where each host in the `Rules.Hosts` field is +// present in `Spec.TLS.Hosts` and where the Rules have the defined ingress visibility. // This method can be used in net-* implementations to select the correct `IngressTLS` entries // for cluster-local and cluster-external gateways/listeners. func (i *Ingress) GetIngressTLSForVisibility(visibility IngressVisibility) []IngressTLS { @@ -32,12 +31,17 @@ func (i *Ingress) GetIngressTLSForVisibility(visibility IngressVisibility) []Ing return ingressTLS } - for _, r := range i.Spec.Rules { - if r.Visibility == visibility { - for _, t := range i.Spec.TLS { - // Check if hosts slices are equal ignoring the order - if cmp.Diff(r.Hosts, t.Hosts, cmpopts.SortSlices(func(a, b string) bool { return a < b })) == "" { - ingressTLS = append(ingressTLS, t) + for _, rule := range i.Spec.Rules { + if rule.Visibility == visibility { + for _, tls := range i.Spec.TLS { + containsAllRulesHosts := true + for _, h := range rule.Hosts { + if !slices.Contains(tls.Hosts, h) { + containsAllRulesHosts = false + } + } + if containsAllRulesHosts { + ingressTLS = append(ingressTLS, tls) } } } diff --git a/pkg/apis/networking/v1alpha1/ingress_helpers_test.go b/pkg/apis/networking/v1alpha1/ingress_helpers_test.go index abd138f16..4b9004a3a 100644 --- a/pkg/apis/networking/v1alpha1/ingress_helpers_test.go +++ b/pkg/apis/networking/v1alpha1/ingress_helpers_test.go @@ -135,6 +135,29 @@ func TestGetIngressTLSForVisibility(t *testing.T) { }, }, want: make([]IngressTLS, 0), + }, { + name: "matching entries with additional hosts in TLS block", + visibility: IngressVisibilityClusterLocal, + ingress: &Ingress{ + Spec: IngressSpec{ + Rules: []IngressRule{ + { + Hosts: []string{"expected"}, + Visibility: IngressVisibilityClusterLocal, + }, + { + Hosts: []string{"other", "entries"}, + Visibility: IngressVisibilityExternalIP, + }, + }, + TLS: []IngressTLS{ + {Hosts: []string{"expected", "additional"}}, + }, + }, + }, + want: []IngressTLS{ + {Hosts: []string{"expected", "additional"}}, + }, }} for _, test := range tests {