This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch release-1.6.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/release-1.6.x by this push:
new 4d716fa trait/route: Add tests for route trait and read certificate
from secrets
4d716fa is described below
commit 4d716fa1c160a34f092e2062f8b5b06cbb016d37
Author: Claudio Miranda <clau...@claudius.com.br>
AuthorDate: Thu Aug 12 19:00:47 2021 -0300
trait/route: Add tests for route trait and read certificate from secrets
* Add parameters to read TLS certificates from secrets
* Add unit tests for route TLS configuration
* Add e2e tests for route TLS configuration
* Add example in route trait documentation
---
deploy/traits.yaml | 56 +++-
docs/modules/traits/pages/route.adoc | 97 ++++++-
e2e/common/traits/files/PlatformHttpServer.java | 25 ++
e2e/common/traits/route_test.go | 337 ++++++++++++++++++++++++
e2e/support/test_support.go | 15 ++
pkg/resources/resources.go | 4 +-
pkg/trait/route.go | 124 +++++++--
pkg/trait/route_test.go | 321 +++++++++++++++++++++-
pkg/util/openshift/register.go | 2 +
9 files changed, 944 insertions(+), 37 deletions(-)
diff --git a/deploy/traits.yaml b/deploy/traits.yaml
index 62f63c0..e1ce66d 100755
--- a/deploy/traits.yaml
+++ b/deploy/traits.yaml
@@ -820,8 +820,17 @@ traits:
platform: false
profiles:
- OpenShift
- description: The Route trait can be used to configure the creation of
OpenShift
- routes for the integration.
+ description: 'The Route trait can be used to configure the creation of
OpenShift
+ routes for the integration. The certificate and key contents may be
sourced either
+ from the local filesystem or in a Openshift `secret` object. The user may
use
+ the parameters ending in `-secret` (example: `tls-certificate-secret`) to
reference
+ a certificate stored in a `secret`. Parameters ending in `-secret` have
higher
+ priorities and in case the same route parameter is set, for example:
`tls-key-secret`
+ and `tls-key`, then `tls-key-secret` is used. The recommended approach to
set
+ the key and certificates is to use `secrets` to store their contents and
use the
+ following parameters to reference them: `tls-certificate-secret`,
`tls-key-secret`,
+ `tls-ca-certificate-secret`, `tls-destination-ca-certificate-secret` See
the examples
+ section at the end of this page to see the setup options.'
properties:
- name: enabled
type: bool
@@ -833,19 +842,40 @@ traits:
- name: tls-termination
type: string
description: The TLS termination type, like `edge`, `passthrough` or
`reencrypt`.Refer
- to the OpenShift documentation for additional information.
+ to the OpenShift route documentation for additional information.
- name: tls-certificate
type: string
- description: The TLS certificate contents.Refer to the OpenShift
documentation
+ description: The TLS certificate contents.Refer to the OpenShift route
documentation
for additional information.
+ - name: tls-certificate-secret
+ type: string
+ description: The secret name and key reference to the TLS certificate. The
format
+ is "secret-name[/key-name]", the value represents the secret name, if
there
+ is only one key in the secret it will be read, otherwise you can set a
key name
+ separated with a "/".Refer to the OpenShift route documentation for
additional
+ information.
- name: tls-key
type: string
- description: The TLS certificate key contents.Refer to the OpenShift
documentation
+ description: The TLS certificate key contents.Refer to the OpenShift route
documentation
for additional information.
+ - name: tls-key-secret
+ type: string
+ description: The secret name and key reference to the TLS certificate key.
The
+ format is "secret-name[/key-name]", the value represents the secret
name, if
+ there is only one key in the secret it will be read, otherwise you can
set a
+ key name separated with a "/".Refer to the OpenShift route documentation
for
+ additional information.
- name: tls-ca-certificate
type: string
- description: The TLS cert authority certificate contents.Refer to the
OpenShift
- documentation for additional information.
+ description: The TLS CA certificate contents.Refer to the OpenShift route
documentation
+ for additional information.
+ - name: tls-ca-certificate-secret
+ type: string
+ description: The secret name and key reference to the TLS CA certificate.
The
+ format is "secret-name[/key-name]", the value represents the secret
name, if
+ there is only one key in the secret it will be read, otherwise you can
set a
+ key name separated with a "/".Refer to the OpenShift route documentation
for
+ additional information.
- name: tls-destination-ca-certificate
type: string
description: The destination CA certificate provides the contents of the
ca certificate
@@ -854,11 +884,19 @@ traits:
connection.If this field is not specified, the router may provide its
own destination
CA and perform hostname validation usingthe short service name
(service.namespace.svc),
which allows infrastructure generated certificates to
automaticallyverify.Refer
- to the OpenShift documentation for additional information.
+ to the OpenShift route documentation for additional information.
+ - name: tls-destination-ca-certificate-secret
+ type: string
+ description: The secret name and key reference to the destination CA
certificate.
+ The format is "secret-name[/key-name]", the value represents the secret
name,
+ if there is only one key in the secret it will be read, otherwise you
can set
+ a key name separated with a "/".Refer to the OpenShift route
documentation for
+ additional information.
- name: tls-insecure-edge-termination-policy
type: string
description: To configure how to deal with insecure traffic, e.g. `Allow`,
`Disable`
- or `Redirect` traffic.Refer to the OpenShift documentation for
additional information.
+ or `Redirect` traffic.Refer to the OpenShift route documentation for
additional
+ information.
- name: service-binding
platform: false
profiles:
diff --git a/docs/modules/traits/pages/route.adoc
b/docs/modules/traits/pages/route.adoc
index 3e2254e..493586c 100755
--- a/docs/modules/traits/pages/route.adoc
+++ b/docs/modules/traits/pages/route.adoc
@@ -3,6 +3,14 @@
// Start of autogenerated code - DO NOT EDIT! (description)
The Route trait can be used to configure the creation of OpenShift routes for
the integration.
+The certificate and key contents may be sourced either from the local
filesystem or in a Openshift `secret` object.
+The user may use the parameters ending in `-secret` (example:
`tls-certificate-secret`) to reference a certificate stored in a `secret`.
+Parameters ending in `-secret` have higher priorities and in case the same
route parameter is set, for example: `tls-key-secret` and `tls-key`,
+then `tls-key-secret` is used.
+The recommended approach to set the key and certificates is to use `secrets`
to store their contents and use the
+following parameters to reference them: `tls-certificate-secret`,
`tls-key-secret`, `tls-ca-certificate-secret`,
`tls-destination-ca-certificate-secret`
+See the examples section at the end of this page to see the setup options.
+
This trait is available in the following profiles: **OpenShift**.
@@ -33,25 +41,43 @@ The following configuration options are available:
| string
| The TLS termination type, like `edge`, `passthrough` or `reencrypt`.
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
| route.tls-certificate
| string
| The TLS certificate contents.
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-certificate-secret
+| string
+| The secret name and key reference to the TLS certificate. The format is
"secret-name[/key-name]", the value represents the secret name, if there is
only one key in the secret it will be read, otherwise you can set a key name
separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
| route.tls-key
| string
| The TLS certificate key contents.
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-key-secret
+| string
+| The secret name and key reference to the TLS certificate key. The format is
"secret-name[/key-name]", the value represents the secret name, if there is
only one key in the secret it will be read, otherwise you can set a key name
separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
| route.tls-ca-certificate
| string
-| The TLS cert authority certificate contents.
+| The TLS CA certificate contents.
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-ca-certificate-secret
+| string
+| The secret name and key reference to the TLS CA certificate. The format is
"secret-name[/key-name]", the value represents the secret name, if there is
only one key in the secret it will be read, otherwise you can set a key name
separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
| route.tls-destination-ca-certificate
| string
@@ -61,14 +87,71 @@ If this field is not specified, the router may provide its
own destination CA an
the short service name (service.namespace.svc), which allows infrastructure
generated certificates to automatically
verify.
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-destination-ca-certificate-secret
+| string
+| The secret name and key reference to the destination CA certificate. The
format is "secret-name[/key-name]", the value represents the secret name, if
there is only one key in the secret it will be read, otherwise you can set a
key name separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
| route.tls-insecure-edge-termination-policy
| string
| To configure how to deal with insecure traffic, e.g. `Allow`, `Disable` or
`Redirect` traffic.
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
|===
// End of autogenerated code - DO NOT EDIT! (configuration)
+
+== Examples
+
+These examples uses *secrets* to store the certificates and keys to be
referenced in the integrations. Read Openshift route documentation for detailed
information about routes. The
https://github.com/apache/camel-k/blob/main/examples/http/PlatformHttpServer.java[PlatformHttpServer.java]
is the integration example.
+
+As a requirement to run these examples, you should have a `secret` with a key
and certificate.
+
+=== Generate a self-signed certificate and create a secret
+
+[source,console]
+openssl genrsa -out tls.key
+openssl req -new -key tls.key -out csr.csr -subj "/CN=my-server.com"
+openssl x509 -req -in csr.csr -signkey tls.key -out tls.crt
+oc create secret tls my-combined-certs --key=tls.key --cert=tls.crt
+
+=== Making an HTTP request to the route
+
+For all examples, you can use the following curl command to make an HTTP
request. It makes use of inline scripts to retrieve the openshift namespace and
cluster base domain, if you are using a shell which doesn't support these
inline scripts, you should replace the inline scripts with the values of your
actual namespace and base domain.
+
+[source,console]
+curl -k https://platform-http-server-`oc config view --minify -o
'jsonpath={..namespace}'`.`oc get dnses/cluster
-ojsonpath='{.spec.baseDomain}'`/hello?name=Camel-K
+
+* To add an *edge* route using secrets, use the parameters ending in `-secret`
to set the secret name which contains the certificate. This route example trait
references a secret named `my-combined-certs` which contains two keys named
`tls.key` and `tls.crt`.
++
+[source,console]
+kamel run --dev PlatformHttpServer.java -t route.tls-termination=edge -t
route.tls-certificate-secret=my-combined-certs/tls.crt -t
route.tls-key-secret=my-combined-certs/tls.key
+
+* To add a *passthrough* route using secrets, the TLS is setup in the
integration pod, the keys and certificates should be visible in the running
integration pod, to achieve this we are using the `--resource` kamel parameter
to mount the secret in the integration pod, then we use some camel quarkus
parameters to reference these certificate files in the running pod, they start
with `-p quarkus.http.ssl.certificate`. This route example trait references a
secret named `my-combined-certs` wh [...]
++
+[source,console]
+kamel run --dev PlatformHttpServer.java --resource
secret:my-combined-certs@/etc/ssl/my-combined-certs -p
quarkus.http.ssl.certificate.file=/etc/ssl/my-combined-certs/tls.crt -p
quarkus.http.ssl.certificate.key-file=/etc/ssl/my-combined-certs/tls.key -t
route.tls-termination=passthrough -t container.port=8443
+
+* To add a *reencrypt* route using secrets, the TLS is setup in the
integration pod, the keys and certificates should be visible in the running
integration pod, to achieve this we are using the `--resource` kamel parameter
to mount the secret in the integration pod, then we use some camel quarkus
parameters to reference these certificate files in the running pod, they start
with `-p quarkus.http.ssl.certificate`. This route example trait references a
secret named `my-combined-certs` whic [...]
++
+[source,console]
+kamel run --dev PlatformHttpServer.java --resource
secret:my-combined-certs@/etc/ssl/my-combined-certs -p
quarkus.http.ssl.certificate.file=/etc/ssl/my-combined-certs/tls.crt -p
quarkus.http.ssl.certificate.key-file=/etc/ssl/my-combined-certs/tls.key -t
route.tls-termination=reencrypt -t
route.tls-destination-ca-certificate-secret=my-combined-certs/tls.crt -t
route.tls-certificate-secret=my-combined-certs/tls.crt -t
route.tls-key-secret=my-combined-certs/tls.key -t container.port=8443
+
+* To add a *reencrypt* route using a specific certificate from a secret for
the route and
https://docs.openshift.com/container-platform/4.8/security/certificates/service-serving-certificate.html#add-service-certificate_service-serving-certificate[Openshift
service serving certificates] for the integration endpoint. This way the
Openshift service serving certificates is set up only in the integration pod.
The keys and certificates should be visible in the running integration pod, to
achie [...]
++
+[source,console]
+kamel run --dev PlatformHttpServer.java --resource
secret:cert-from-openshift@/etc/ssl/cert-from-openshift -p
quarkus.http.ssl.certificate.file=/etc/ssl/cert-from-openshift/tls.crt -p
quarkus.http.ssl.certificate.key-file=/etc/ssl/cert-from-openshift/tls.key -t
route.tls-termination=reencrypt -t
route.tls-certificate-secret=my-combined-certs/tls.crt -t
route.tls-key-secret=my-combined-certs/tls.key -t container.port=8443
++
+Then you should annotate the integration service to inject the Openshift
service serving certificates
++
+[source,console]
+oc annotate service platform-http-server
service.beta.openshift.io/serving-cert-secret-name=cert-from-openshift
+
+* To add an *edge* route using a certificate and a private key provided from
your local filesystem. This example uses inline scripts to read the certificate
and private key file contents, then remove all new line characters, (this is
required to set the certificate as parameter's values), so the values are in a
single line.
++
+[source,console]
+kamel run PlatformHttpServer.java --dev -t route.tls-termination=edge -t
route.tls-certificate="$(cat tls.crt|awk 'NF {sub(/\r/, ""); printf
"%s\\n",$0;}')" -t route.tls-key="$(cat tls.key|awk 'NF {sub(/\r/, ""); printf
"%s\\n",$0;}')"
diff --git a/e2e/common/traits/files/PlatformHttpServer.java
b/e2e/common/traits/files/PlatformHttpServer.java
new file mode 100644
index 0000000..9e52514
--- /dev/null
+++ b/e2e/common/traits/files/PlatformHttpServer.java
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import org.apache.camel.builder.RouteBuilder;
+
+public class PlatformHttpServer extends RouteBuilder {
+ @Override
+ public void configure() throws Exception {
+ from("platform-http:/hello?httpMethodRestrict=GET").setBody(simple("Hello
${header.name}"));
+ }
+}
\ No newline at end of file
diff --git a/e2e/common/traits/route_test.go b/e2e/common/traits/route_test.go
new file mode 100644
index 0000000..341215d
--- /dev/null
+++ b/e2e/common/traits/route_test.go
@@ -0,0 +1,337 @@
+// +build integration
+
+// To enable compilation of this file in Goland, go to "Settings -> Go ->
Vendoring & Build Tags -> Custom Tags" and add "knative"
+
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package traits
+
+import (
+ "bytes"
+ "crypto/rand"
+ "crypto/rsa"
+ "crypto/tls"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
+ "fmt"
+ "math/big"
+ "net/http"
+ "testing"
+ "time"
+
+ . "github.com/onsi/gomega"
+ "github.com/stretchr/testify/assert"
+
+ rand2 "math/rand"
+
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ . "github.com/apache/camel-k/e2e/support"
+ "github.com/apache/camel-k/pkg/util/openshift"
+)
+
+const(
+ secretName = "test-certificate"
+ integrationName = "platform-http-server"
+ waitBeforeHttpRequest = 7 * time.Second
+)
+
+type keyCertificatePair struct {
+ Key []byte
+ Certificate []byte
+}
+
+// self-signed certificate used when making the https request
+var certPem []byte
+
+// the e2e tests run on openshift3 in CI and there is no object to retrieve
the base domain name
+// to create a valid hostname to later have it validate when doing the https
request
+// as this a e2e test to validate the route object and not the certificate
itself
+// if the base domain name cannot be retrieved from dns/cluster we can safely
skip TLS verification
+// if running on openshift4, there is the dns/cluster object to retrieve the
base domain name,
+// then in this case the http client validates the TLS certificate
+var skipClientTLSVerification = true
+
+func TestRunRoutes(t *testing.T) {
+ WithNewTestNamespace(t, func(ns string) {
+ ocp, err := openshift.IsOpenShift(TestClient())
+ if !ocp {
+ t.Skip("This test requires route object which is
available on OpenShift only.")
+ return
+ }
+ assert.Nil(t, err)
+
+ Expect(Kamel("install", "-n", ns).Execute()).To(Succeed())
+
+ // create a test secret of type tls with certificates
+ // this secret is used to setupt the route TLS object across
diferent tests
+ secret, err := createSecret(ns)
+ assert.Nil(t, err)
+
+ // they refer to the certificates create in the secret and are
reused the different tests
+ refKey := secretName + "/" + corev1.TLSPrivateKeyKey
+ refCert := secretName + "/" + corev1.TLSCertKey
+
+ // =============================
+ // Insecure Route / No TLS
+ // =============================
+ t.Run("Route unsecure http works", func(t *testing.T) {
+ Expect(Kamel("run", "-n", ns,
"files/PlatformHttpServer.java").Execute()).To(Succeed())
+ Eventually(IntegrationPodPhase(ns, integrationName),
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+ route := Route(ns, integrationName)
+ Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+ // must wait a little time after route is created,
before doing an http request,
+ // otherwise the route is unavailable and the http
request will fail
+ time.Sleep(waitBeforeHttpRequest)
+ url := fmt.Sprintf("http://%s/hello?name=Simple";,
route().Spec.Host)
+ response, err := httpRequest(t, url, false)
+ assert.Nil(t, err)
+ assert.Equal(t, "Hello Simple", response)
+ Expect(Kamel("delete", "--all", "-n",
ns).Execute()).Should(BeNil())
+ })
+
+ // =============================
+ // TLS Route Edge
+ // =============================
+
+ t.Run("Route Edge https works", func(t *testing.T) {
+ Expect(Kamel("run", "-n", ns,
"files/PlatformHttpServer.java", "-t",
"route.tls-termination=edge").Execute()).To(Succeed())
+ Eventually(IntegrationPodPhase(ns, integrationName),
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+ route := Route(ns, integrationName)
+ Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+ // must wait a little time after route is created,
before an http request,
+ // otherwise the route is unavailable and the http
request will fail
+ time.Sleep(waitBeforeHttpRequest)
+ url := fmt.Sprintf("https://%s/hello?name=TLS_Edge";,
route().Spec.Host)
+ response, err := httpRequest(t, url, true)
+ assert.Nil(t, err)
+ assert.Equal(t, "Hello TLS_Edge", response)
+ Expect(Kamel("delete", "--all", "-n",
ns).Execute()).Should(BeNil())
+ })
+
+ // =============================
+ // TLS Route Edge with custom certificate
+ // =============================
+
+ t.Run("Route Edge (custom certificate) https works", func(t
*testing.T) {
+ Expect(Kamel("run", "-n", ns,
"files/PlatformHttpServer.java",
+ "-t", "route.tls-termination=edge",
+ "-t", "route.tls-certificate-secret=" + refCert,
+ "-t", "route.tls-key-secret=" + refKey,
+ ).Execute()).To(Succeed())
+ Eventually(IntegrationPodPhase(ns, integrationName),
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+ route := Route(ns, integrationName)
+ Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+ // must wait a little time after route is created,
before an http request,
+ // otherwise the route is unavailable and the http
request will fail
+ time.Sleep(waitBeforeHttpRequest)
+ code := "TLS_EdgeCustomCertificate"
+ url := fmt.Sprintf("https://%s/hello?name=%s";,
route().Spec.Host, code)
+ response, err := httpRequest(t, url, true)
+ assert.Nil(t, err)
+ assert.Equal(t, "Hello " + code, response)
+ Expect(Kamel("delete", "--all", "-n",
ns).Execute()).Should(BeNil())
+ })
+
+ // =============================
+ // TLS Route Passthrough
+ // =============================
+
+ t.Run("Route passthrough https works", func(t *testing.T) {
+ Expect(Kamel("run", "-n", ns,
"files/PlatformHttpServer.java",
+ // the --resource mounts the certificates
inside secret as files in the integration pod
+ "--resource", "secret:" + secretName +
"@/etc/ssl/" + secretName,
+ // quarkus platform-http uses these two
properties to setup the HTTP endpoint with TLS support
+ "-p",
"quarkus.http.ssl.certificate.file=/etc/ssl/" + secretName + "/tls.crt",
+ "-p",
"quarkus.http.ssl.certificate.key-file=/etc/ssl/" + secretName + "/tls.key",
+ "-t", "route.tls-termination=passthrough",
+ "-t", "container.port=8443",
+ ).Execute()).To(Succeed())
+ Eventually(IntegrationPodPhase(ns, integrationName),
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+ route := Route(ns, integrationName)
+ Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+ // must wait a little time after route is created,
before an http request,
+ // otherwise the route is unavailable and the http
request will fail
+ time.Sleep(waitBeforeHttpRequest)
+ code := "TLS_Passthrough"
+ url := fmt.Sprintf("https://%s/hello?name=%s";,
route().Spec.Host, code)
+ response, err := httpRequest(t, url, true)
+ assert.Nil(t, err)
+ assert.Equal(t, "Hello " + code, response)
+ Expect(Kamel("delete", "--all", "-n",
ns).Execute()).Should(BeNil())
+ })
+
+ // =============================
+ // TLS Route Reencrypt
+ // =============================
+
+ t.Run("Route Reencrypt https works", func(t *testing.T) {
+ Expect(Kamel("run", "-n", ns,
"files/PlatformHttpServer.java",
+ // the --resource mounts the certificates
inside secret as files in the integration pod
+ "--resource", "secret:" + secretName +
"@/etc/ssl/" + secretName,
+ // quarkus platform-http uses these two
properties to setup the HTTP endpoint with TLS support
+ "-p",
"quarkus.http.ssl.certificate.file=/etc/ssl/" + secretName + "/tls.crt",
+ "-p",
"quarkus.http.ssl.certificate.key-file=/etc/ssl/" + secretName + "/tls.key",
+ "-t", "route.tls-termination=reencrypt",
+ // the destination CA certificate which the
route service uses to validate the HTTP endpoint TLS certificate
+ "-t",
"route.tls-destination-ca-certificate-secret=" + refCert,
+ "-t", "route.tls-certificate-secret=" + refCert,
+ "-t", "route.tls-key-secret=" + refKey,
+ "-t", "container.port=8443",
+ ).Execute()).To(Succeed())
+ Eventually(IntegrationPodPhase(ns, integrationName),
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+
+ route := Route(ns, integrationName)
+ Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+ // must wait a little time after route is created,
before an http request,
+ // otherwise the route is unavailable and the http
request will fail
+ time.Sleep(waitBeforeHttpRequest)
+ code := "TLS_Reencrypt"
+ url := fmt.Sprintf("https://%s/hello?name=%s";,
route().Spec.Host, code)
+ response, err := httpRequest(t, url, true)
+ assert.Nil(t, err)
+ assert.Equal(t, "Hello " + code, response)
+ Expect(Kamel("delete", "--all", "-n",
ns).Execute()).Should(BeNil())
+ })
+ Expect(TestClient().Delete(TestContext, &secret)).To(Succeed())
+ })
+}
+
+func httpRequest(t *testing.T, url string, tlsEnabled bool) (string, error) {
+ var client http.Client
+ if tlsEnabled {
+ var transCfg http.Transport
+ if skipClientTLSVerification {
+ transCfg = http.Transport{
+ TLSClientConfig: &tls.Config {
+ InsecureSkipVerify: true,
+ },
+ }
+ } else {
+ certPool := x509.NewCertPool()
+ certPool.AppendCertsFromPEM(certPem)
+ transCfg = http.Transport{
+ TLSClientConfig: &tls.Config {
+ RootCAs: certPool,
+ },
+ }
+ }
+ client = http.Client{Transport: &transCfg}
+ } else {
+ client = http.Client{}
+ }
+ response, err := client.Get(url)
+ defer func() {
+ if response != nil {
+ _ = response.Body.Close()
+ }
+ }()
+ if err != nil {
+ fmt.Printf("Error making HTTP request. %s\n", err)
+ return "", err
+ }
+ assert.Nil(t, err)
+ buf := new(bytes.Buffer)
+ _, err = buf.ReadFrom(response.Body)
+ if err != nil {
+ fmt.Printf("Error reading the HTTP response. %s\n", err)
+ return "", err
+ }
+ assert.Nil(t, err)
+ return buf.String(), nil
+}
+
+func createSecret(ns string) (corev1.Secret, error) {
+ keyCertPair := generateSampleKeyAndCertificate(ns)
+ sec := corev1.Secret{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "Secret",
+ APIVersion: corev1.SchemeGroupVersion.String(),
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: ns,
+ Name: secretName,
+ },
+ Type: corev1.SecretTypeTLS,
+ Data: map[string][]byte{
+ corev1.TLSPrivateKeyKey: keyCertPair.Key,
+ corev1.TLSCertKey: keyCertPair.Certificate,
+ },
+ }
+ return sec, TestClient().Create(TestContext, &sec)
+}
+
+func generateSampleKeyAndCertificate(ns string) keyCertificatePair {
+ serialNumber := big.NewInt(rand2.Int63())
+ domainName, err := ClusterDomainName()
+ if err != nil {
+ fmt.Printf("Error retrieving cluster domain object, then the
http client request will skip TLS validation: %s\n", err)
+ skipClientTLSVerification = true
+ }
+ var dnsHostname string
+ if len(domainName) > 0 {
+ dnsHostname = integrationName + "-" + ns + "." + domainName
+ } else {
+ dnsHostname = integrationName + "-" + ns
+ }
+ x509Certificate := x509.Certificate{
+ SerialNumber: serialNumber,
+ Subject: pkix.Name{
+ Organization: []string{"Camel K test"},
+ },
+ IsCA: true,
+ DNSNames: []string{dnsHostname},
+ NotBefore: time.Now(),
+ NotAfter: time.Now().AddDate(1, 0, 0),
+ ExtKeyUsage:
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+ KeyUsage: x509.KeyUsageKeyEncipherment |
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+ BasicConstraintsValid: true,
+ }
+
+ // generate the private key
+ certPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+ if err != nil {
+ fmt.Printf("Error generating private key: %s\n", err)
+ }
+
+ privateKeyBytes := x509.MarshalPKCS1PrivateKey(certPrivateKey)
+ // encode for storing into secret
+ privateKeyPem := pem.EncodeToMemory(
+ &pem.Block{
+ Type: "RSA PRIVATE KEY",
+ Bytes: privateKeyBytes,
+ },
+ )
+ certBytes, err := x509.CreateCertificate(rand.Reader, &x509Certificate,
&x509Certificate, &certPrivateKey.PublicKey, certPrivateKey)
+ if err != nil {
+ fmt.Printf("Error generating certificate: %s\n", err)
+ }
+
+ // encode for storing into secret
+ certPem = pem.EncodeToMemory(&pem.Block{
+ Type: "CERTIFICATE",
+ Bytes: certBytes,
+ })
+
+ return keyCertificatePair {
+ Key: privateKeyPem,
+ Certificate: certPem,
+ }
+}
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 323362e..879d371 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -57,6 +57,7 @@ import (
messaging "knative.dev/eventing/pkg/apis/messaging/v1"
servingv1 "knative.dev/serving/pkg/apis/serving/v1"
+ configv1 "github.com/openshift/api/config/v1"
projectv1 "github.com/openshift/api/project/v1"
routev1 "github.com/openshift/api/route/v1"
@@ -120,6 +121,7 @@ func init() {
client.FastMapperAllowedAPIGroups["messaging.knative.dev"] = true
client.FastMapperAllowedAPIGroups["serving.knative.dev"] = true
client.FastMapperAllowedAPIGroups["operators.coreos.com"] = true
+ client.FastMapperAllowedAPIGroups["config.openshift.io"] = true
client.FastMapperAllowedAPIGroups["policy"] = true
var err error
@@ -1058,6 +1060,19 @@ func Kamelet(name string, ns string) func()
*v1alpha1.Kamelet {
}
}
+func ClusterDomainName() (string, error) {
+ dns := configv1.DNS{}
+ key := ctrl.ObjectKey{
+ Name: "cluster",
+ }
+ err := TestClient().Get(TestContext, key, &dns)
+ if err != nil {
+ return "", err
+ }
+ return dns.Spec.BaseDomain, nil
+}
+
+
/*
Tekton
*/
diff --git a/pkg/resources/resources.go b/pkg/resources/resources.go
index dce9012..04ad9ab 100644
--- a/pkg/resources/resources.go
+++ b/pkg/resources/resources.go
@@ -467,9 +467,9 @@ var assets = func() http.FileSystem {
"/traits.yaml": &vfsgen۰CompressedFileInfo{
name: "traits.yaml",
modTime: time.Time{},
- uncompressedSize: 39128,
+ uncompressedSize: 41625,
- compressedContent:
[]byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x7d\x7b\x73\x24\xb7\xf1\xd8\xff\xf7\x29\x50\xfc\xa5\xea\x48\xd6\xee\xf0\x24\xc7\xb6\xc2\x44\x71\x51\x77\x27\x8b\xd2\x3d\x98\x23\x2d\x57\x4a\x51\x79\xb1\x33\xbd\xbb\x38\x62\x80\x31\x80\x21\x6f\x1d\xe7\xbb\xa7\xd0\x8d\xd7\xec\x0e\x97\xcb\x93\xa8\x12\x53\xb1\xff\xd0\x91\x9c\x69\x34\x1a\x8d\x7e\x77\x8f\x33\x5c\x38\x7b\xfa\x6c\xca\x14\x6f\xe1\x94\xf1\xc5\x42\x28\xe1\xd6\xcf\x18\xeb\x24\x77\x0b\x6d\xda\x53\xb6\xe0\xd2\x
[...]
+ compressedContent:
[]byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x7d\x6b\x73\x23\x37\xb6\xd8\xf7\xf9\x15\x28\xde\x54\x8d\xa4\x22\x29\xd9\x9b\xdd\x75\x94\x38\x5b\xf2\xcc\x78\x2d\x7b\x1e\xca\x48\xeb\xad\xd4\xc4\xb5\x04\xbb\x0f\x49\x8c\xd0\x40\x2f\x80\x96\x86\x9b\x9b\xff\x9e\xc2\x39\x78\x35\xd9\xa2\xa8\xf1\xc8\xb1\x52\x77\xf7\x83\x47\x52\x37\x70\x70\x70\xde\xaf\x76\x86\x0b\x67\x4f\x9f\x4d\x98\xe2\x0d\x9c\x32\xbe\x58\x08\x25\xdc\xfa\x19\x63\xad\xe4\x6e\xa1\x4d\x73\xca\x16\x5c\x5a\x
[...]
},
}
fs["/"].(*vfsgen۰DirInfo).entries = []os.FileInfo{
diff --git a/pkg/trait/route.go b/pkg/trait/route.go
index 72d20f7..20f0c43 100644
--- a/pkg/trait/route.go
+++ b/pkg/trait/route.go
@@ -20,6 +20,7 @@ package trait
import (
"fmt"
"reflect"
+ "strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -28,10 +29,19 @@ import (
routev1 "github.com/openshift/api/route/v1"
v1 "github.com/apache/camel-k/pkg/apis/camel/v1"
+ "github.com/apache/camel-k/pkg/util/kubernetes"
)
// The Route trait can be used to configure the creation of OpenShift routes
for the integration.
//
+// The certificate and key contents may be sourced either from the local
filesystem or in a Openshift `secret` object.
+// The user may use the parameters ending in `-secret` (example:
`tls-certificate-secret`) to reference a certificate stored in a `secret`.
+// Parameters ending in `-secret` have higher priorities and in case the same
route parameter is set, for example: `tls-key-secret` and `tls-key`,
+// then `tls-key-secret` is used.
+// The recommended approach to set the key and certificates is to use
`secrets` to store their contents and use the
+// following parameters to reference them: `tls-certificate-secret`,
`tls-key-secret`, `tls-ca-certificate-secret`,
`tls-destination-ca-certificate-secret`
+// See the examples section at the end of this page to see the setup options.
+//
// +camel-k:trait=route
type routeTrait struct {
BaseTrait `property:",squash"`
@@ -39,31 +49,47 @@ type routeTrait struct {
Host string `property:"host" json:"host,omitempty"`
// The TLS termination type, like `edge`, `passthrough` or `reencrypt`.
//
- // Refer to the OpenShift documentation for additional information.
+ // Refer to the OpenShift route documentation for additional
information.
TLSTermination string `property:"tls-termination"
json:"tlsTermination,omitempty"`
// The TLS certificate contents.
//
- // Refer to the OpenShift documentation for additional information.
+ // Refer to the OpenShift route documentation for additional
information.
TLSCertificate string `property:"tls-certificate"
json:"tlsCertificate,omitempty"`
+ // The secret name and key reference to the TLS certificate. The format
is "secret-name[/key-name]", the value represents the secret name, if there is
only one key in the secret it will be read, otherwise you can set a key name
separated with a "/".
+ //
+ // Refer to the OpenShift route documentation for additional
information.
+ TLSCertificateSecret string `property:"tls-certificate-secret"
json:"tlsCertificateSecret,omitempty"`
// The TLS certificate key contents.
//
- // Refer to the OpenShift documentation for additional information.
+ // Refer to the OpenShift route documentation for additional
information.
TLSKey string `property:"tls-key" json:"tlsKey,omitempty"`
- // The TLS cert authority certificate contents.
+ // The secret name and key reference to the TLS certificate key. The
format is "secret-name[/key-name]", the value represents the secret name, if
there is only one key in the secret it will be read, otherwise you can set a
key name separated with a "/".
+ //
+ // Refer to the OpenShift route documentation for additional
information.
+ TLSKeySecret string `property:"tls-key-secret"
json:"tlsKeySecret,omitempty"`
+ // The TLS CA certificate contents.
//
- // Refer to the OpenShift documentation for additional information.
+ // Refer to the OpenShift route documentation for additional
information.
TLSCACertificate string `property:"tls-ca-certificate"
json:"tlsCACertificate,omitempty"`
+ // The secret name and key reference to the TLS CA certificate. The
format is "secret-name[/key-name]", the value represents the secret name, if
there is only one key in the secret it will be read, otherwise you can set a
key name separated with a "/".
+ //
+ // Refer to the OpenShift route documentation for additional
information.
+ TLSCACertificateSecret string `property:"tls-ca-certificate-secret"
json:"tlsCACertificateSecret,omitempty"`
// The destination CA certificate provides the contents of the ca
certificate of the final destination. When using reencrypt
// termination this file should be provided in order to have routers
use it for health checks on the secure connection.
// If this field is not specified, the router may provide its own
destination CA and perform hostname validation using
// the short service name (service.namespace.svc), which allows
infrastructure generated certificates to automatically
// verify.
//
- // Refer to the OpenShift documentation for additional information.
+ // Refer to the OpenShift route documentation for additional
information.
TLSDestinationCACertificate string
`property:"tls-destination-ca-certificate"
json:"tlsDestinationCACertificate,omitempty"`
+ // The secret name and key reference to the destination CA certificate.
The format is "secret-name[/key-name]", the value represents the secret name,
if there is only one key in the secret it will be read, otherwise you can set a
key name separated with a "/".
+ //
+ // Refer to the OpenShift route documentation for additional
information.
+ TLSDestinationCACertificateSecret string
`property:"tls-destination-ca-certificate-secret"
json:"tlsDestinationCACertificateSecret,omitempty"`
// To configure how to deal with insecure traffic, e.g. `Allow`,
`Disable` or `Redirect` traffic.
//
- // Refer to the OpenShift documentation for additional information.
+ // Refer to the OpenShift route documentation for additional
information.
TLSInsecureEdgeTerminationPolicy string
`property:"tls-insecure-edge-termination-policy"
json:"tlsInsecureEdgeTerminationPolicy,omitempty"`
service *corev1.Service
@@ -122,6 +148,10 @@ func (t *routeTrait) Apply(e *Environment) error {
servicePortName = dt.(*containerTrait).ServicePortName
}
+ tlsConfig, err := t.getTLSConfig()
+ if err != nil {
+ return err
+ }
route := routev1.Route{
TypeMeta: metav1.TypeMeta{
Kind: "Route",
@@ -143,7 +173,7 @@ func (t *routeTrait) Apply(e *Environment) error {
Name: t.service.Name,
},
Host: t.Host,
- TLS: t.getTLSConfig(),
+ TLS: tlsConfig,
},
}
@@ -174,19 +204,83 @@ func (t *routeTrait) Apply(e *Environment) error {
return nil
}
-func (t *routeTrait) getTLSConfig() *routev1.TLSConfig {
+func (t *routeTrait) getTLSConfig() (*routev1.TLSConfig, error) {
+ // a certificate is a multiline text, but to set it as value in a
single line in CLI, the user must escape the new line character as \\n
+ // but in the TLS configuration, the certificates should be a multiline
string
+ // then we need to replace the incoming escaped new lines \\n for a
real new line \n
+ key := strings.ReplaceAll(t.TLSKey, "\\n", "\n")
+ certificate := strings.ReplaceAll(t.TLSCertificate, "\\n", "\n")
+ CACertificate := strings.ReplaceAll(t.TLSCACertificate, "\\n", "\n")
+ destinationCAcertificate :=
strings.ReplaceAll(t.TLSDestinationCACertificate, "\\n", "\n")
+ var err error
+ if t.TLSKeySecret != "" {
+ key, err = t.readContentIfExists(t.TLSKeySecret)
+ if err != nil {
+ return nil, err
+ }
+ }
+ if t.TLSCertificateSecret != "" {
+ certificate, err = t.readContentIfExists(t.TLSCertificateSecret)
+ if err != nil {
+ return nil, err
+ }
+ }
+ if t.TLSCACertificateSecret != "" {
+ CACertificate, err =
t.readContentIfExists(t.TLSCACertificateSecret)
+ if err != nil {
+ return nil, err
+ }
+ }
+ if t.TLSDestinationCACertificateSecret != "" {
+ destinationCAcertificate, err =
t.readContentIfExists(t.TLSDestinationCACertificateSecret)
+ if err != nil {
+ return nil, err
+ }
+ }
+
config := routev1.TLSConfig{
Termination:
routev1.TLSTerminationType(t.TLSTermination),
- Certificate: t.TLSCertificate,
- Key: t.TLSKey,
- CACertificate: t.TLSCACertificate,
- DestinationCACertificate: t.TLSDestinationCACertificate,
+ Key: key,
+ Certificate: certificate,
+ CACertificate: CACertificate,
+ DestinationCACertificate: destinationCAcertificate,
InsecureEdgeTerminationPolicy:
routev1.InsecureEdgeTerminationPolicyType(t.TLSInsecureEdgeTerminationPolicy),
}
if reflect.DeepEqual(config, routev1.TLSConfig{}) {
- return nil
+ return nil, nil
}
- return &config
+ return &config, nil
}
+
+func (t *routeTrait) readContentIfExists(secretName string) (string, error) {
+ key := ""
+ strs := strings.Split(secretName, "/")
+ if len(strs) > 1 {
+ secretName = strs[0]
+ key = strs[1]
+ }
+
+ secret := kubernetes.LookupSecret(t.Ctx, t.Client, t.service.Namespace,
secretName)
+ if secret == nil {
+ return "", fmt.Errorf("%s secret not found in %s namespace,
make sure to provide it before the Integration can run", secretName,
t.service.Namespace)
+ }
+ if len(secret.Data) > 1 && len(key) == 0 {
+ return "", fmt.Errorf("secret %s contains multiple data keys,
but no key was provided", secretName)
+ }
+ if len(secret.Data) == 1 && len(key) == 0 {
+ for _, value := range secret.Data {
+ content := string(value)
+ return content, nil
+ }
+ }
+ if len(key) > 0 {
+ content := string(secret.Data[key])
+ if len(content) == 0 {
+ return "", fmt.Errorf("Could not find key %s in secret
%s in namespace %s", key, secretName, t.service.Namespace)
+ }
+ return content, nil
+ }
+ return "", nil
+}
\ No newline at end of file
diff --git a/pkg/trait/route_test.go b/pkg/trait/route_test.go
index 764fedc..fe3f153 100644
--- a/pkg/trait/route_test.go
+++ b/pkg/trait/route_test.go
@@ -35,13 +35,105 @@ import (
"github.com/apache/camel-k/pkg/util/test"
)
+const (
+ host = "my-host1"
+ key = `-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKulUTZ8B1qccZ8c
+DXRGSY08gW8KvLlcxxxGC4gZHNT3CBUF8n5R4KE30aZyYZ/rtsQZu05juZJxaJ0q
+mbe75dlQ5d+Xc9BMXeQg/MpTZw5TAN7OIdGYYpFBe+1PLZ6wEfjkYrMqMUcfq2Lq
+hTLdAbvBJnuRcYZLqmBeOQ8FTrKrAgMBAAECgYEAnkHRbEPU3/WISSQrP36iyCb2
+S/SBZwKkzmvCrBxDWhPeDswp9c/2JY76rNWfLzy8iXgUG8WUzvHje61Qh3gmBcKe
+bUaTGl4Vy8Ha1YBADo5RfRrdm0FE4tvgvu/TkqFqpBBZweu54285hk5zlG7n/D7Y
+dnNXUpu5MlNb5x3gW0kCQQDUL//cwcXUxY/evaJP4jSe+ZwEQZo+zXRLiPUulBoV
+aw28CVMuxdgwqAo1X1IKefPeUaf7RQu8gCKaRnpGuEuXAkEAzxZTfMmvmCUDIew4
+5Gk6bK265XQWdhcgiq254lpBGOYmDj9yCE7yA+zmASQwMsXTdQOi1hOCEyrXuSJ5
+c++EDQJAFh3WrnzoEPByuYXMmET8tSFRWMQ5vpgNqh3haHR5b4gUC2hxaiunCBNL
+1RpVY9AoUiDywGcG/SPh93CnKB3niwJBAKP7AtsifZgVXtiizB4aMThTjVYaSZrz
+D0Kg9DuHylpkDChmFu77TGrNUQgAVuYtfhb/bRblVa/F0hJ4eQHT3JUCQBVT68tb
+OgRUk0aP9tC3021VN82X6+klowSQN8oBPX8+TfDWSUilp/+j24Hky+Z29Do7yR/R
+qutnL92CvBlVLV4=
+-----END PRIVATE KEY-----
+`
+ cert = `-----BEGIN CERTIFICATE-----
+MIIBajCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+-----END CERTIFICATE-----
+`
+ caCert = `-----BEGIN CERTIFICATE-----
+BLAajCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+-----END CERTIFICATE-----
+`
+ destinationCaCert = `-----BEGIN CERTIFICATE-----
+FOOBARCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+-----END CERTIFICATE-----
+`
+
+ tlsKeySecretName = "tls-test"
+ tlsKeySecretOnlyKeyName = "tls.key"
+ tlsKeySecretKeyName = tlsKeySecretName + "/" +
tlsKeySecretOnlyKeyName
+
+ tlsMultipleSecretsName = "tls-multiple-test"
+ tlsMultipleSecretsCert1Key = "cert1.crt"
+ tlsMultipleSecretsCert2Key = "cert2.crt"
+ tlsMultipleSecretsCert3Key = "cert3.crt"
+)
+
func createTestRouteEnvironment(t *testing.T, name string) *Environment {
catalog, err := camel.DefaultCatalog()
assert.Nil(t, err)
-
+ client, _ := test.NewFakeClient(
+ &corev1.Secret{
+ TypeMeta: metav1.TypeMeta{
+ APIVersion: "v1",
+ Kind: "Secret",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test-ns",
+ Name: tlsKeySecretName,
+ },
+ Data: map[string][]byte{
+ tlsKeySecretOnlyKeyName: []byte(key),
+ },
+ },
+ &corev1.Secret{
+ TypeMeta: metav1.TypeMeta{
+ APIVersion: "v1",
+ Kind: "Secret",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test-ns",
+ Name: tlsMultipleSecretsName,
+ },
+ Data: map[string][]byte{
+ tlsMultipleSecretsCert1Key: []byte(cert),
+ tlsMultipleSecretsCert2Key: []byte(caCert),
+ tlsMultipleSecretsCert3Key:
[]byte(destinationCaCert),
+ },
+ },
+ )
res := &Environment{
CamelCatalog: catalog,
- Catalog: NewCatalog(context.TODO(), nil),
+ Catalog: NewCatalog(context.TODO(), client),
Integration: &v1.Integration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
@@ -154,14 +246,14 @@ func TestRoute_Configure_IntegrationKitOnly(t *testing.T)
{
assert.Nil(t, err)
}
-func TestRoute_TLS(t *testing.T) {
+func TestRoute_Host(t *testing.T) {
name := xid.New().String()
environment := createTestRouteEnvironment(t, name)
traitsCatalog := environment.Catalog
environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
"route": test.TraitSpecFromMap(t, map[string]interface{}{
- "tlsTermination": string(routev1.TLSTerminationEdge),
+ "host": host,
}),
}
@@ -176,8 +268,229 @@ func TestRoute_TLS(t *testing.T) {
})
assert.NotNil(t, route)
+ assert.Equal(t, host, route.Spec.Host)
+ assert.Nil(t, route.Spec.TLS)
+}
+
+func TestRoute_TLS_From_Secret_reencrypt(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination":
string(routev1.TLSTerminationReencrypt),
+ "host": host,
+ "tlsKeySecret": tlsKeySecretName,
+ "tlsCertificateSecret":
tlsMultipleSecretsName + "/" + tlsMultipleSecretsCert1Key,
+ "tlsCACertificateSecret":
tlsMultipleSecretsName + "/" + tlsMultipleSecretsCert2Key,
+ "tlsDestinationCACertificateSecret":
tlsMultipleSecretsName + "/" + tlsMultipleSecretsCert3Key,
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ assert.Nil(t, err)
+ assert.NotEmpty(t, environment.ExecutedTraits)
+ assert.NotNil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ assert.NotNil(t, route)
+ assert.NotNil(t, route.Spec.TLS)
+ assert.Equal(t, routev1.TLSTerminationReencrypt,
route.Spec.TLS.Termination)
+ assert.Equal(t, key, route.Spec.TLS.Key)
+ assert.Equal(t, host, route.Spec.Host)
+ assert.Equal(t, cert, route.Spec.TLS.Certificate)
+ assert.Equal(t, caCert, route.Spec.TLS.CACertificate)
+ assert.Equal(t, destinationCaCert,
route.Spec.TLS.DestinationCACertificate)
+}
+
+func TestRoute_TLS_wrong_secret(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination":
string(routev1.TLSTerminationReencrypt),
+ "host": host,
+ "tlsKeySecret": "foo",
+ "tlsCertificateSecret": "bar",
+ "tlsCACertificateSecret": "test",
+ "tlsDestinationCACertificateSecret": "404",
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ // there must be errors as the trait has wrong configuration
+ assert.NotNil(t, err)
+ assert.Nil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ // route trait is expected to not be created
+ assert.Nil(t, route)
+}
+
+func TestRoute_TLS_secret_wrong_key(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination":
string(routev1.TLSTerminationReencrypt),
+ "host": host,
+ "tlsKeySecret": tlsKeySecretName,
+ "tlsCertificateSecret": tlsMultipleSecretsName + "/"
+ tlsMultipleSecretsCert1Key,
+ "tlsCACertificateSecret": tlsMultipleSecretsName +
"/foo",
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ // there must be errors as the trait has wrong configuration
+ assert.NotNil(t, err)
+ assert.Nil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ // route trait is expected to not be created
+ assert.Nil(t, route)
+}
+
+func TestRoute_TLS_secret_missing_key(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination":
string(routev1.TLSTerminationReencrypt),
+ "host": host,
+ "tlsKeySecret": tlsKeySecretName,
+ "tlsCertificateSecret": tlsMultipleSecretsName + "/"
+ tlsMultipleSecretsCert1Key,
+ "tlsCACertificateSecret": tlsMultipleSecretsName,
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ // there must be errors as the trait has wrong configuration
+ assert.NotNil(t, err)
+ assert.Nil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ // route trait is expected to not be created
+ assert.Nil(t, route)
+}
+
+func TestRoute_TLS_reencrypt(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination":
string(routev1.TLSTerminationReencrypt),
+ "host": host,
+ "tlsKey": key,
+ "tlsCertificate": cert,
+ "tlsCACertificate": caCert,
+ "tlsDestinationCACertificate": destinationCaCert,
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ assert.Nil(t, err)
+ assert.NotEmpty(t, environment.ExecutedTraits)
+ assert.NotNil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ assert.NotNil(t, route)
+ assert.NotNil(t, route.Spec.TLS)
+ assert.Equal(t, routev1.TLSTerminationReencrypt,
route.Spec.TLS.Termination)
+ assert.Equal(t, key, route.Spec.TLS.Key)
+ assert.Equal(t, host, route.Spec.Host)
+ assert.Equal(t, cert, route.Spec.TLS.Certificate)
+ assert.Equal(t, caCert, route.Spec.TLS.CACertificate)
+ assert.Equal(t, destinationCaCert,
route.Spec.TLS.DestinationCACertificate)
+}
+
+func TestRoute_TLS_edge(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination": string(routev1.TLSTerminationEdge),
+ "host": host,
+ "tlsKey": key,
+ "tlsCertificate": cert,
+ "tlsCACertificate": caCert,
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ assert.Nil(t, err)
+ assert.NotEmpty(t, environment.ExecutedTraits)
+ assert.NotNil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ assert.NotNil(t, route)
assert.NotNil(t, route.Spec.TLS)
assert.Equal(t, routev1.TLSTerminationEdge, route.Spec.TLS.Termination)
+ assert.Equal(t, key, route.Spec.TLS.Key)
+ assert.Equal(t, host, route.Spec.Host)
+ assert.Equal(t, cert, route.Spec.TLS.Certificate)
+ assert.Equal(t, caCert, route.Spec.TLS.CACertificate)
+ assert.Empty(t, route.Spec.TLS.DestinationCACertificate)
+}
+
+func TestRoute_TLS_passthrough(t *testing.T) {
+ name := xid.New().String()
+ environment := createTestRouteEnvironment(t, name)
+ traitsCatalog := environment.Catalog
+
+ environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+ "route": test.TraitSpecFromMap(t, map[string]interface{}{
+ "tlsTermination":
string(routev1.TLSTerminationPassthrough),
+ "host": host,
+ "tlsInsecureEdgeTerminationPolicy":
routev1.InsecureEdgeTerminationPolicyAllow,
+ }),
+ }
+ err := traitsCatalog.apply(environment)
+
+ assert.Nil(t, err)
+ assert.NotEmpty(t, environment.ExecutedTraits)
+ assert.NotNil(t, environment.GetTrait("route"))
+
+ route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+ return r.ObjectMeta.Name == name
+ })
+
+ assert.NotNil(t, route)
+ assert.NotNil(t, route.Spec.TLS)
+ assert.Equal(t, routev1.TLSTerminationPassthrough,
route.Spec.TLS.Termination)
+ assert.Equal(t, host, route.Spec.Host)
+ assert.Equal(t, routev1.InsecureEdgeTerminationPolicyAllow,
route.Spec.TLS.InsecureEdgeTerminationPolicy)
+ assert.Empty(t, route.Spec.TLS.Certificate)
+ assert.Empty(t, route.Spec.TLS.CACertificate)
+ assert.Empty(t, route.Spec.TLS.DestinationCACertificate)
}
func TestRoute_WithCustomServicePort(t *testing.T) {
diff --git a/pkg/util/openshift/register.go b/pkg/util/openshift/register.go
index 1687b1f..b7af756 100644
--- a/pkg/util/openshift/register.go
+++ b/pkg/util/openshift/register.go
@@ -23,6 +23,7 @@ import (
apps "github.com/openshift/api/apps/v1"
authorization "github.com/openshift/api/authorization/v1"
build "github.com/openshift/api/build/v1"
+ config "github.com/openshift/api/config/v1"
console "github.com/openshift/api/console/v1"
image "github.com/openshift/api/image/v1"
project "github.com/openshift/api/project/v1"
@@ -46,6 +47,7 @@ func AddToScheme(scheme *runtime.Scheme) error {
err = doAdd(build.Install, scheme, err)
err = doAdd(authorization.Install, scheme, err)
err = doAdd(project.Install, scheme, err)
+ err = doAdd(config.Install, scheme, err)
// OpenShift console API
err = doAdd(console.Install, scheme, err)
