This is an automated email from the ASF dual-hosted git repository.

astefanutti pushed a commit to branch release-1.6.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git


The following commit(s) were added to refs/heads/release-1.6.x by this push:
     new 4d716fa  trait/route: Add tests for route trait and read certificate 
from secrets
4d716fa is described below

commit 4d716fa1c160a34f092e2062f8b5b06cbb016d37
Author: Claudio Miranda <clau...@claudius.com.br>
AuthorDate: Thu Aug 12 19:00:47 2021 -0300

    trait/route: Add tests for route trait and read certificate from secrets
    
    * Add parameters to read TLS certificates from secrets
    * Add unit tests for route TLS configuration
    * Add e2e tests for route TLS configuration
    * Add example in route trait documentation
---
 deploy/traits.yaml                              |  56 +++-
 docs/modules/traits/pages/route.adoc            |  97 ++++++-
 e2e/common/traits/files/PlatformHttpServer.java |  25 ++
 e2e/common/traits/route_test.go                 | 337 ++++++++++++++++++++++++
 e2e/support/test_support.go                     |  15 ++
 pkg/resources/resources.go                      |   4 +-
 pkg/trait/route.go                              | 124 +++++++--
 pkg/trait/route_test.go                         | 321 +++++++++++++++++++++-
 pkg/util/openshift/register.go                  |   2 +
 9 files changed, 944 insertions(+), 37 deletions(-)

diff --git a/deploy/traits.yaml b/deploy/traits.yaml
index 62f63c0..e1ce66d 100755
--- a/deploy/traits.yaml
+++ b/deploy/traits.yaml
@@ -820,8 +820,17 @@ traits:
   platform: false
   profiles:
   - OpenShift
-  description: The Route trait can be used to configure the creation of 
OpenShift
-    routes for the integration.
+  description: 'The Route trait can be used to configure the creation of 
OpenShift
+    routes for the integration. The certificate and key contents may be 
sourced either
+    from the local filesystem or in a Openshift `secret` object. The user may 
use
+    the parameters ending in `-secret` (example: `tls-certificate-secret`) to 
reference
+    a certificate stored in a `secret`. Parameters ending in `-secret` have 
higher
+    priorities and in case the same route parameter is set, for example: 
`tls-key-secret`
+    and `tls-key`, then `tls-key-secret` is used. The recommended approach to 
set
+    the key and certificates is to use `secrets` to store their contents and 
use the
+    following parameters to reference them: `tls-certificate-secret`, 
`tls-key-secret`,
+    `tls-ca-certificate-secret`, `tls-destination-ca-certificate-secret` See 
the examples
+    section at the end of this page to see the setup options.'
   properties:
   - name: enabled
     type: bool
@@ -833,19 +842,40 @@ traits:
   - name: tls-termination
     type: string
     description: The TLS termination type, like `edge`, `passthrough` or 
`reencrypt`.Refer
-      to the OpenShift documentation for additional information.
+      to the OpenShift route documentation for additional information.
   - name: tls-certificate
     type: string
-    description: The TLS certificate contents.Refer to the OpenShift 
documentation
+    description: The TLS certificate contents.Refer to the OpenShift route 
documentation
       for additional information.
+  - name: tls-certificate-secret
+    type: string
+    description: The secret name and key reference to the TLS certificate. The 
format
+      is "secret-name[/key-name]", the value represents the secret name, if 
there
+      is only one key in the secret it will be read, otherwise you can set a 
key name
+      separated with a "/".Refer to the OpenShift route documentation for 
additional
+      information.
   - name: tls-key
     type: string
-    description: The TLS certificate key contents.Refer to the OpenShift 
documentation
+    description: The TLS certificate key contents.Refer to the OpenShift route 
documentation
       for additional information.
+  - name: tls-key-secret
+    type: string
+    description: The secret name and key reference to the TLS certificate key. 
The
+      format is "secret-name[/key-name]", the value represents the secret 
name, if
+      there is only one key in the secret it will be read, otherwise you can 
set a
+      key name separated with a "/".Refer to the OpenShift route documentation 
for
+      additional information.
   - name: tls-ca-certificate
     type: string
-    description: The TLS cert authority certificate contents.Refer to the 
OpenShift
-      documentation for additional information.
+    description: The TLS CA certificate contents.Refer to the OpenShift route 
documentation
+      for additional information.
+  - name: tls-ca-certificate-secret
+    type: string
+    description: The secret name and key reference to the TLS CA certificate. 
The
+      format is "secret-name[/key-name]", the value represents the secret 
name, if
+      there is only one key in the secret it will be read, otherwise you can 
set a
+      key name separated with a "/".Refer to the OpenShift route documentation 
for
+      additional information.
   - name: tls-destination-ca-certificate
     type: string
     description: The destination CA certificate provides the contents of the 
ca certificate
@@ -854,11 +884,19 @@ traits:
       connection.If this field is not specified, the router may provide its 
own destination
       CA and perform hostname validation usingthe short service name 
(service.namespace.svc),
       which allows infrastructure generated certificates to 
automaticallyverify.Refer
-      to the OpenShift documentation for additional information.
+      to the OpenShift route documentation for additional information.
+  - name: tls-destination-ca-certificate-secret
+    type: string
+    description: The secret name and key reference to the destination CA 
certificate.
+      The format is "secret-name[/key-name]", the value represents the secret 
name,
+      if there is only one key in the secret it will be read, otherwise you 
can set
+      a key name separated with a "/".Refer to the OpenShift route 
documentation for
+      additional information.
   - name: tls-insecure-edge-termination-policy
     type: string
     description: To configure how to deal with insecure traffic, e.g. `Allow`, 
`Disable`
-      or `Redirect` traffic.Refer to the OpenShift documentation for 
additional information.
+      or `Redirect` traffic.Refer to the OpenShift route documentation for 
additional
+      information.
 - name: service-binding
   platform: false
   profiles:
diff --git a/docs/modules/traits/pages/route.adoc 
b/docs/modules/traits/pages/route.adoc
index 3e2254e..493586c 100755
--- a/docs/modules/traits/pages/route.adoc
+++ b/docs/modules/traits/pages/route.adoc
@@ -3,6 +3,14 @@
 // Start of autogenerated code - DO NOT EDIT! (description)
 The Route trait can be used to configure the creation of OpenShift routes for 
the integration.
 
+The certificate and key contents may be sourced either from the local 
filesystem or in a Openshift `secret` object.
+The user may use the parameters ending in `-secret` (example: 
`tls-certificate-secret`) to reference a certificate stored in a `secret`.
+Parameters ending in `-secret` have higher priorities and in case the same 
route parameter is set, for example: `tls-key-secret` and `tls-key`,
+then `tls-key-secret` is used.
+The recommended approach to set the key and certificates is to use `secrets` 
to store their contents and use the
+following parameters to reference them: `tls-certificate-secret`, 
`tls-key-secret`, `tls-ca-certificate-secret`, 
`tls-destination-ca-certificate-secret`
+See the examples section at the end of this page to see the setup options.
+
 
 This trait is available in the following profiles: **OpenShift**.
 
@@ -33,25 +41,43 @@ The following configuration options are available:
 | string
 | The TLS termination type, like `edge`, `passthrough` or `reencrypt`.
 
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
 
 | route.tls-certificate
 | string
 | The TLS certificate contents.
 
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-certificate-secret
+| string
+| The secret name and key reference to the TLS certificate. The format is 
"secret-name[/key-name]", the value represents the secret name, if there is 
only one key in the secret it will be read, otherwise you can set a key name 
separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
 
 | route.tls-key
 | string
 | The TLS certificate key contents.
 
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-key-secret
+| string
+| The secret name and key reference to the TLS certificate key. The format is 
"secret-name[/key-name]", the value represents the secret name, if there is 
only one key in the secret it will be read, otherwise you can set a key name 
separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
 
 | route.tls-ca-certificate
 | string
-| The TLS cert authority certificate contents.
+| The TLS CA certificate contents.
 
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-ca-certificate-secret
+| string
+| The secret name and key reference to the TLS CA certificate. The format is 
"secret-name[/key-name]", the value represents the secret name, if there is 
only one key in the secret it will be read, otherwise you can set a key name 
separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
 
 | route.tls-destination-ca-certificate
 | string
@@ -61,14 +87,71 @@ If this field is not specified, the router may provide its 
own destination CA an
 the short service name (service.namespace.svc), which allows infrastructure 
generated certificates to automatically
 verify.
 
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
+
+| route.tls-destination-ca-certificate-secret
+| string
+| The secret name and key reference to the destination CA certificate. The 
format is "secret-name[/key-name]", the value represents the secret name, if 
there is only one key in the secret it will be read, otherwise you can set a 
key name separated with a "/".
+
+Refer to the OpenShift route documentation for additional information.
 
 | route.tls-insecure-edge-termination-policy
 | string
 | To configure how to deal with insecure traffic, e.g. `Allow`, `Disable` or 
`Redirect` traffic.
 
-Refer to the OpenShift documentation for additional information.
+Refer to the OpenShift route documentation for additional information.
 
 |===
 
 // End of autogenerated code - DO NOT EDIT! (configuration)
+
+== Examples
+
+These examples uses *secrets* to store the certificates and keys to be 
referenced in the integrations. Read Openshift route documentation for detailed 
information about routes. The 
https://github.com/apache/camel-k/blob/main/examples/http/PlatformHttpServer.java[PlatformHttpServer.java]
 is the integration example. 
+
+As a requirement to run these examples, you should have a `secret` with a key 
and certificate.
+
+=== Generate a self-signed certificate and create a secret
+
+[source,console]
+openssl genrsa -out tls.key
+openssl req -new -key tls.key -out csr.csr -subj "/CN=my-server.com"
+openssl x509 -req -in csr.csr -signkey tls.key -out tls.crt
+oc create secret tls my-combined-certs --key=tls.key  --cert=tls.crt
+
+=== Making an HTTP request to the route
+
+For all examples, you can use the following curl command to make an HTTP 
request. It makes use of inline scripts to retrieve the openshift namespace and 
cluster base domain, if you are using a shell which doesn't support these 
inline scripts, you should replace the inline scripts with the values of your 
actual namespace and base domain.
+
+[source,console]
+curl -k https://platform-http-server-`oc config view --minify -o 
'jsonpath={..namespace}'`.`oc get dnses/cluster 
-ojsonpath='{.spec.baseDomain}'`/hello?name=Camel-K
+
+* To add an *edge* route using secrets, use the parameters ending in `-secret` 
to set the secret name which contains the certificate. This route example trait 
references a secret named `my-combined-certs` which contains two keys named 
`tls.key` and `tls.crt`.
++
+[source,console]
+kamel run --dev PlatformHttpServer.java -t route.tls-termination=edge -t 
route.tls-certificate-secret=my-combined-certs/tls.crt -t 
route.tls-key-secret=my-combined-certs/tls.key
+
+* To add a *passthrough* route using secrets, the TLS is setup in the 
integration pod, the keys and certificates should be visible in the running 
integration pod, to achieve this we are using the `--resource` kamel parameter 
to mount the secret in the integration pod, then we use some camel quarkus 
parameters to reference these certificate files in the running pod, they start 
with `-p quarkus.http.ssl.certificate`. This route example trait references a 
secret named `my-combined-certs` wh [...]
++
+[source,console]
+kamel run --dev PlatformHttpServer.java --resource 
secret:my-combined-certs@/etc/ssl/my-combined-certs -p 
quarkus.http.ssl.certificate.file=/etc/ssl/my-combined-certs/tls.crt -p 
quarkus.http.ssl.certificate.key-file=/etc/ssl/my-combined-certs/tls.key -t 
route.tls-termination=passthrough -t container.port=8443
+
+* To add a *reencrypt* route using secrets, the TLS is setup in the 
integration pod, the keys and certificates should be visible in the running 
integration pod, to achieve this we are using the `--resource` kamel parameter 
to mount the secret in the integration pod, then we use some camel quarkus 
parameters to reference these certificate files in the running pod, they start 
with `-p quarkus.http.ssl.certificate`. This route example trait references a 
secret named `my-combined-certs` whic [...]
++
+[source,console]
+kamel run --dev PlatformHttpServer.java --resource 
secret:my-combined-certs@/etc/ssl/my-combined-certs  -p 
quarkus.http.ssl.certificate.file=/etc/ssl/my-combined-certs/tls.crt -p 
quarkus.http.ssl.certificate.key-file=/etc/ssl/my-combined-certs/tls.key -t 
route.tls-termination=reencrypt -t 
route.tls-destination-ca-certificate-secret=my-combined-certs/tls.crt -t 
route.tls-certificate-secret=my-combined-certs/tls.crt -t 
route.tls-key-secret=my-combined-certs/tls.key -t container.port=8443
+
+* To add a *reencrypt* route using a specific certificate from a secret for 
the route and 
https://docs.openshift.com/container-platform/4.8/security/certificates/service-serving-certificate.html#add-service-certificate_service-serving-certificate[Openshift
 service serving certificates] for the integration endpoint. This way the 
Openshift service serving certificates is set up only in the integration pod. 
The keys and certificates should be visible in the running integration pod, to 
achie [...]
++
+[source,console]
+kamel run --dev PlatformHttpServer.java --resource 
secret:cert-from-openshift@/etc/ssl/cert-from-openshift  -p 
quarkus.http.ssl.certificate.file=/etc/ssl/cert-from-openshift/tls.crt -p 
quarkus.http.ssl.certificate.key-file=/etc/ssl/cert-from-openshift/tls.key -t 
route.tls-termination=reencrypt -t 
route.tls-certificate-secret=my-combined-certs/tls.crt -t 
route.tls-key-secret=my-combined-certs/tls.key -t container.port=8443
++
+Then you should annotate the integration service to inject the Openshift 
service serving certificates
++
+[source,console]
+oc annotate service platform-http-server 
service.beta.openshift.io/serving-cert-secret-name=cert-from-openshift
+
+* To add an *edge* route using a certificate and a private key provided from 
your local filesystem. This example uses inline scripts to read the certificate 
and private key file contents, then remove all new line characters, (this is 
required to set the certificate as parameter's values), so the values are in a 
single line.
++
+[source,console]
+kamel run PlatformHttpServer.java --dev -t route.tls-termination=edge -t 
route.tls-certificate="$(cat tls.crt|awk 'NF {sub(/\r/, ""); printf 
"%s\\n",$0;}')" -t route.tls-key="$(cat tls.key|awk 'NF {sub(/\r/, ""); printf 
"%s\\n",$0;}')"
diff --git a/e2e/common/traits/files/PlatformHttpServer.java 
b/e2e/common/traits/files/PlatformHttpServer.java
new file mode 100644
index 0000000..9e52514
--- /dev/null
+++ b/e2e/common/traits/files/PlatformHttpServer.java
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import org.apache.camel.builder.RouteBuilder;
+
+public class PlatformHttpServer extends RouteBuilder {
+  @Override
+  public void configure() throws Exception {
+    from("platform-http:/hello?httpMethodRestrict=GET").setBody(simple("Hello 
${header.name}"));
+  }
+}
\ No newline at end of file
diff --git a/e2e/common/traits/route_test.go b/e2e/common/traits/route_test.go
new file mode 100644
index 0000000..341215d
--- /dev/null
+++ b/e2e/common/traits/route_test.go
@@ -0,0 +1,337 @@
+// +build integration
+
+// To enable compilation of this file in Goland, go to "Settings -> Go -> 
Vendoring & Build Tags -> Custom Tags" and add "knative"
+
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package traits
+
+import (
+       "bytes"
+       "crypto/rand"
+       "crypto/rsa"
+       "crypto/tls"
+       "crypto/x509"
+       "crypto/x509/pkix"
+       "encoding/pem"
+       "fmt"
+       "math/big"
+       "net/http"
+       "testing"
+       "time"
+
+       . "github.com/onsi/gomega"
+       "github.com/stretchr/testify/assert"
+
+       rand2 "math/rand"
+
+       corev1 "k8s.io/api/core/v1"
+       metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+       . "github.com/apache/camel-k/e2e/support"
+       "github.com/apache/camel-k/pkg/util/openshift"
+)
+
+const(
+       secretName = "test-certificate"
+       integrationName = "platform-http-server"
+       waitBeforeHttpRequest = 7 * time.Second
+)
+
+type keyCertificatePair struct {
+       Key []byte
+       Certificate []byte
+}
+
+// self-signed certificate used when making the https request
+var certPem []byte
+
+// the e2e tests run on openshift3 in CI and there is no object to retrieve 
the base domain name
+// to create a valid hostname to later have it validate when doing the https 
request
+// as this a e2e test to validate the route object and not the certificate 
itself 
+// if the base domain name cannot be retrieved from dns/cluster we can safely 
skip TLS verification
+// if running on openshift4, there is the dns/cluster object to retrieve the 
base domain name, 
+// then in this case the http client validates the TLS certificate
+var skipClientTLSVerification = true
+
+func TestRunRoutes(t *testing.T) {
+       WithNewTestNamespace(t, func(ns string) {
+               ocp, err := openshift.IsOpenShift(TestClient())
+               if !ocp {
+                       t.Skip("This test requires route object which is 
available on OpenShift only.")
+                       return
+               }
+               assert.Nil(t, err)
+
+               Expect(Kamel("install", "-n", ns).Execute()).To(Succeed())
+
+               // create a test secret of type tls with certificates
+               // this secret is used to setupt the route TLS object across 
diferent tests
+               secret, err := createSecret(ns)
+               assert.Nil(t, err)
+
+               // they refer to the certificates create in the secret and are 
reused the different tests
+               refKey := secretName + "/" + corev1.TLSPrivateKeyKey
+               refCert := secretName + "/" + corev1.TLSCertKey
+
+               // =============================
+               // Insecure Route / No TLS
+               // =============================
+               t.Run("Route unsecure http works", func(t *testing.T) {
+                       Expect(Kamel("run", "-n", ns, 
"files/PlatformHttpServer.java").Execute()).To(Succeed())
+                       Eventually(IntegrationPodPhase(ns, integrationName), 
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+                       route := Route(ns, integrationName)
+                       Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+                       // must wait a little time after route is created, 
before doing an http request, 
+                       // otherwise the route is unavailable and the http 
request will fail
+                       time.Sleep(waitBeforeHttpRequest)
+                       url := fmt.Sprintf("http://%s/hello?name=Simple";, 
route().Spec.Host)
+                       response, err := httpRequest(t, url, false)
+                       assert.Nil(t, err)
+                       assert.Equal(t, "Hello Simple", response)
+                       Expect(Kamel("delete", "--all", "-n", 
ns).Execute()).Should(BeNil())
+               })
+
+               // =============================
+               // TLS Route Edge
+               // =============================
+
+               t.Run("Route Edge https works", func(t *testing.T) {
+                       Expect(Kamel("run", "-n", ns, 
"files/PlatformHttpServer.java", "-t", 
"route.tls-termination=edge").Execute()).To(Succeed())
+                       Eventually(IntegrationPodPhase(ns, integrationName), 
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+                       route := Route(ns, integrationName)
+                       Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+                       // must wait a little time after route is created, 
before an http request, 
+                       // otherwise the route is unavailable and the http 
request will fail
+                       time.Sleep(waitBeforeHttpRequest)
+                       url := fmt.Sprintf("https://%s/hello?name=TLS_Edge";, 
route().Spec.Host)
+                       response, err := httpRequest(t, url, true)
+                       assert.Nil(t, err)
+                       assert.Equal(t, "Hello TLS_Edge", response)
+                       Expect(Kamel("delete", "--all", "-n", 
ns).Execute()).Should(BeNil())
+               })
+
+               // =============================
+               // TLS Route Edge with custom certificate
+               // =============================
+
+               t.Run("Route Edge (custom certificate) https works", func(t 
*testing.T) {
+                       Expect(Kamel("run", "-n", ns, 
"files/PlatformHttpServer.java",
+                               "-t", "route.tls-termination=edge",
+                               "-t", "route.tls-certificate-secret=" + refCert,
+                               "-t", "route.tls-key-secret=" + refKey,
+                       ).Execute()).To(Succeed())
+                       Eventually(IntegrationPodPhase(ns, integrationName), 
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+                       route := Route(ns, integrationName)
+                       Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+                       // must wait a little time after route is created, 
before an http request, 
+                       // otherwise the route is unavailable and the http 
request will fail
+                       time.Sleep(waitBeforeHttpRequest)
+                       code := "TLS_EdgeCustomCertificate"
+                       url := fmt.Sprintf("https://%s/hello?name=%s";, 
route().Spec.Host, code)
+                       response, err := httpRequest(t, url, true)
+                       assert.Nil(t, err)
+                       assert.Equal(t, "Hello " + code, response)
+                       Expect(Kamel("delete", "--all", "-n", 
ns).Execute()).Should(BeNil())
+               })
+
+               // =============================
+               // TLS Route Passthrough
+               // =============================
+
+               t.Run("Route passthrough https works", func(t *testing.T) {
+                       Expect(Kamel("run", "-n", ns, 
"files/PlatformHttpServer.java",
+                               // the --resource mounts the certificates 
inside secret as files in the integration pod
+                               "--resource", "secret:" + secretName + 
"@/etc/ssl/" + secretName,
+                               // quarkus platform-http uses these two 
properties to setup the HTTP endpoint with TLS support
+                               "-p", 
"quarkus.http.ssl.certificate.file=/etc/ssl/" + secretName + "/tls.crt",
+                               "-p", 
"quarkus.http.ssl.certificate.key-file=/etc/ssl/" + secretName + "/tls.key",
+                               "-t", "route.tls-termination=passthrough",
+                               "-t", "container.port=8443",
+                       ).Execute()).To(Succeed())
+                       Eventually(IntegrationPodPhase(ns, integrationName), 
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+                       route := Route(ns, integrationName)
+                       Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+                       // must wait a little time after route is created, 
before an http request, 
+                       // otherwise the route is unavailable and the http 
request will fail
+                       time.Sleep(waitBeforeHttpRequest)
+                       code := "TLS_Passthrough"
+                       url := fmt.Sprintf("https://%s/hello?name=%s";, 
route().Spec.Host, code)
+                       response, err := httpRequest(t, url, true)
+                       assert.Nil(t, err)
+                       assert.Equal(t, "Hello " + code, response)
+                       Expect(Kamel("delete", "--all", "-n", 
ns).Execute()).Should(BeNil())
+               })
+
+               // =============================
+               // TLS Route Reencrypt
+               // =============================
+
+               t.Run("Route Reencrypt https works", func(t *testing.T) {
+                       Expect(Kamel("run", "-n", ns, 
"files/PlatformHttpServer.java",
+                               // the --resource mounts the certificates 
inside secret as files in the integration pod
+                               "--resource", "secret:" + secretName + 
"@/etc/ssl/" + secretName,
+                               // quarkus platform-http uses these two 
properties to setup the HTTP endpoint with TLS support
+                               "-p", 
"quarkus.http.ssl.certificate.file=/etc/ssl/" + secretName + "/tls.crt",
+                               "-p", 
"quarkus.http.ssl.certificate.key-file=/etc/ssl/" + secretName + "/tls.key",
+                               "-t", "route.tls-termination=reencrypt",
+                               // the destination CA certificate which the 
route service uses to validate the HTTP endpoint TLS certificate
+                               "-t", 
"route.tls-destination-ca-certificate-secret=" + refCert,
+                               "-t", "route.tls-certificate-secret=" + refCert,
+                               "-t", "route.tls-key-secret=" + refKey,
+                               "-t", "container.port=8443",
+                       ).Execute()).To(Succeed())
+                       Eventually(IntegrationPodPhase(ns, integrationName), 
TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+
+                       route := Route(ns, integrationName)
+                       Eventually(route, TestTimeoutMedium).ShouldNot(BeNil())
+                       // must wait a little time after route is created, 
before an http request, 
+                       // otherwise the route is unavailable and the http 
request will fail
+                       time.Sleep(waitBeforeHttpRequest)
+                       code := "TLS_Reencrypt"
+                       url := fmt.Sprintf("https://%s/hello?name=%s";, 
route().Spec.Host, code)
+                       response, err := httpRequest(t, url, true)
+                       assert.Nil(t, err)
+                       assert.Equal(t, "Hello " + code, response)
+                       Expect(Kamel("delete", "--all", "-n", 
ns).Execute()).Should(BeNil())
+               })
+               Expect(TestClient().Delete(TestContext, &secret)).To(Succeed())
+       })
+}
+
+func httpRequest(t *testing.T, url string, tlsEnabled bool) (string, error) {
+       var client http.Client
+       if tlsEnabled {
+               var transCfg http.Transport
+               if skipClientTLSVerification {
+                       transCfg = http.Transport{
+                               TLSClientConfig: &tls.Config {
+                                       InsecureSkipVerify: true,
+                               },
+                       }
+               } else {
+                       certPool := x509.NewCertPool()
+                       certPool.AppendCertsFromPEM(certPem)
+                       transCfg = http.Transport{
+                               TLSClientConfig: &tls.Config {
+                                       RootCAs: certPool,
+                               },
+                       }
+               }
+               client = http.Client{Transport: &transCfg}
+       } else {
+               client = http.Client{}
+       }
+       response, err := client.Get(url)
+       defer func() {
+               if response != nil {
+                       _ = response.Body.Close()
+               }
+       }()
+       if err != nil {
+               fmt.Printf("Error making HTTP request. %s\n", err)
+               return "", err
+       }
+       assert.Nil(t, err)
+       buf := new(bytes.Buffer)
+       _, err = buf.ReadFrom(response.Body)
+       if err != nil {
+               fmt.Printf("Error reading the HTTP response. %s\n", err)
+               return "", err
+       }
+       assert.Nil(t, err)
+       return buf.String(), nil
+}
+
+func createSecret(ns string) (corev1.Secret, error) {
+       keyCertPair := generateSampleKeyAndCertificate(ns)
+       sec := corev1.Secret{
+               TypeMeta: metav1.TypeMeta{
+                       Kind:       "Secret",
+                       APIVersion: corev1.SchemeGroupVersion.String(),
+               },
+               ObjectMeta: metav1.ObjectMeta{
+                       Namespace: ns,
+                       Name:      secretName,
+               },
+               Type: corev1.SecretTypeTLS,
+               Data: map[string][]byte{
+                       corev1.TLSPrivateKeyKey: keyCertPair.Key,
+                       corev1.TLSCertKey: keyCertPair.Certificate,
+               },
+       }
+       return sec, TestClient().Create(TestContext, &sec)
+}
+
+func generateSampleKeyAndCertificate(ns string) keyCertificatePair {
+       serialNumber := big.NewInt(rand2.Int63())
+       domainName, err := ClusterDomainName()
+       if err != nil {
+               fmt.Printf("Error retrieving cluster domain object, then the 
http client request will skip TLS validation: %s\n", err)
+               skipClientTLSVerification = true
+       }
+       var dnsHostname string
+       if len(domainName) > 0 {
+               dnsHostname = integrationName + "-" + ns + "." + domainName
+       } else {
+               dnsHostname = integrationName + "-" + ns
+       }
+       x509Certificate := x509.Certificate{
+               SerialNumber: serialNumber,
+               Subject: pkix.Name{
+                       Organization: []string{"Camel K test"},
+               },
+               IsCA:                              true,
+               DNSNames:              []string{dnsHostname},
+               NotBefore:             time.Now(),
+               NotAfter:              time.Now().AddDate(1, 0, 0),
+               ExtKeyUsage:           
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+               KeyUsage:              x509.KeyUsageKeyEncipherment | 
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+               BasicConstraintsValid: true,
+       }
+
+       // generate the private key
+       certPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+       if err != nil {
+               fmt.Printf("Error generating private key: %s\n", err)
+       }
+
+       privateKeyBytes := x509.MarshalPKCS1PrivateKey(certPrivateKey)
+       // encode for storing into secret
+       privateKeyPem := pem.EncodeToMemory(
+               &pem.Block{
+                       Type:  "RSA PRIVATE KEY",
+                       Bytes: privateKeyBytes,
+               },
+       )
+       certBytes, err := x509.CreateCertificate(rand.Reader, &x509Certificate, 
&x509Certificate, &certPrivateKey.PublicKey, certPrivateKey)
+       if err != nil {
+               fmt.Printf("Error generating certificate: %s\n", err)
+       }
+
+       // encode for storing into secret
+       certPem = pem.EncodeToMemory(&pem.Block{
+               Type:  "CERTIFICATE",
+               Bytes: certBytes,
+       })
+
+       return keyCertificatePair {
+               Key: privateKeyPem,
+               Certificate: certPem,
+       }
+}
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 323362e..879d371 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -57,6 +57,7 @@ import (
        messaging "knative.dev/eventing/pkg/apis/messaging/v1"
        servingv1 "knative.dev/serving/pkg/apis/serving/v1"
 
+       configv1 "github.com/openshift/api/config/v1"
        projectv1 "github.com/openshift/api/project/v1"
        routev1 "github.com/openshift/api/route/v1"
 
@@ -120,6 +121,7 @@ func init() {
        client.FastMapperAllowedAPIGroups["messaging.knative.dev"] = true
        client.FastMapperAllowedAPIGroups["serving.knative.dev"] = true
        client.FastMapperAllowedAPIGroups["operators.coreos.com"] = true
+       client.FastMapperAllowedAPIGroups["config.openshift.io"] = true
        client.FastMapperAllowedAPIGroups["policy"] = true
 
        var err error
@@ -1058,6 +1060,19 @@ func Kamelet(name string, ns string) func() 
*v1alpha1.Kamelet {
        }
 }
 
+func ClusterDomainName() (string, error) {
+       dns := configv1.DNS{}
+       key := ctrl.ObjectKey{
+               Name:      "cluster",
+       }
+       err := TestClient().Get(TestContext, key, &dns)
+       if err != nil {
+               return "", err
+       }
+       return dns.Spec.BaseDomain, nil
+}
+
+
 /*
        Tekton
 */
diff --git a/pkg/resources/resources.go b/pkg/resources/resources.go
index dce9012..04ad9ab 100644
--- a/pkg/resources/resources.go
+++ b/pkg/resources/resources.go
@@ -467,9 +467,9 @@ var assets = func() http.FileSystem {
                "/traits.yaml": &vfsgen۰CompressedFileInfo{
                        name:             "traits.yaml",
                        modTime:          time.Time{},
-                       uncompressedSize: 39128,
+                       uncompressedSize: 41625,
 
-                       compressedContent: 
[]byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x7d\x7b\x73\x24\xb7\xf1\xd8\xff\xf7\x29\x50\xfc\xa5\xea\x48\xd6\xee\xf0\x24\xc7\xb6\xc2\x44\x71\x51\x77\x27\x8b\xd2\x3d\x98\x23\x2d\x57\x4a\x51\x79\xb1\x33\xbd\xbb\x38\x62\x80\x31\x80\x21\x6f\x1d\xe7\xbb\xa7\xd0\x8d\xd7\xec\x0e\x97\xcb\x93\xa8\x12\x53\xb1\xff\xd0\x91\x9c\x69\x34\x1a\x8d\x7e\x77\x8f\x33\x5c\x38\x7b\xfa\x6c\xca\x14\x6f\xe1\x94\xf1\xc5\x42\x28\xe1\xd6\xcf\x18\xeb\x24\x77\x0b\x6d\xda\x53\xb6\xe0\xd2\x
 [...]
+                       compressedContent: 
[]byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x7d\x6b\x73\x23\x37\xb6\xd8\xf7\xf9\x15\x28\xde\x54\x8d\xa4\x22\x29\xd9\x9b\xdd\x75\x94\x38\x5b\xf2\xcc\x78\x2d\x7b\x1e\xca\x48\xeb\xad\xd4\xc4\xb5\x04\xbb\x0f\x49\x8c\xd0\x40\x2f\x80\x96\x86\x9b\x9b\xff\x9e\xc2\x39\x78\x35\xd9\xa2\xa8\xf1\xc8\xb1\x52\x77\xf7\x83\x47\x52\x37\x70\x70\x70\xde\xaf\x76\x86\x0b\x67\x4f\x9f\x4d\x98\xe2\x0d\x9c\x32\xbe\x58\x08\x25\xdc\xfa\x19\x63\xad\xe4\x6e\xa1\x4d\x73\xca\x16\x5c\x5a\x
 [...]
                },
        }
        fs["/"].(*vfsgen۰DirInfo).entries = []os.FileInfo{
diff --git a/pkg/trait/route.go b/pkg/trait/route.go
index 72d20f7..20f0c43 100644
--- a/pkg/trait/route.go
+++ b/pkg/trait/route.go
@@ -20,6 +20,7 @@ package trait
 import (
        "fmt"
        "reflect"
+       "strings"
 
        corev1 "k8s.io/api/core/v1"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -28,10 +29,19 @@ import (
        routev1 "github.com/openshift/api/route/v1"
 
        v1 "github.com/apache/camel-k/pkg/apis/camel/v1"
+       "github.com/apache/camel-k/pkg/util/kubernetes"
 )
 
 // The Route trait can be used to configure the creation of OpenShift routes 
for the integration.
 //
+// The certificate and key contents may be sourced either from the local 
filesystem or in a Openshift `secret` object.
+// The user may use the parameters ending in `-secret` (example: 
`tls-certificate-secret`) to reference a certificate stored in a `secret`.
+// Parameters ending in `-secret` have higher priorities and in case the same 
route parameter is set, for example: `tls-key-secret` and `tls-key`,
+// then `tls-key-secret` is used.
+// The recommended approach to set the key and certificates is to use 
`secrets` to store their contents and use the
+// following parameters to reference them: `tls-certificate-secret`, 
`tls-key-secret`, `tls-ca-certificate-secret`, 
`tls-destination-ca-certificate-secret`
+// See the examples section at the end of this page to see the setup options.
+//
 // +camel-k:trait=route
 type routeTrait struct {
        BaseTrait `property:",squash"`
@@ -39,31 +49,47 @@ type routeTrait struct {
        Host string `property:"host" json:"host,omitempty"`
        // The TLS termination type, like `edge`, `passthrough` or `reencrypt`.
        //
-       // Refer to the OpenShift documentation for additional information.
+       // Refer to the OpenShift route documentation for additional 
information.
        TLSTermination string `property:"tls-termination" 
json:"tlsTermination,omitempty"`
        // The TLS certificate contents.
        //
-       // Refer to the OpenShift documentation for additional information.
+       // Refer to the OpenShift route documentation for additional 
information.
        TLSCertificate string `property:"tls-certificate" 
json:"tlsCertificate,omitempty"`
+       // The secret name and key reference to the TLS certificate. The format 
is "secret-name[/key-name]", the value represents the secret name, if there is 
only one key in the secret it will be read, otherwise you can set a key name 
separated with a "/".
+       //
+       // Refer to the OpenShift route documentation for additional 
information.
+       TLSCertificateSecret string `property:"tls-certificate-secret" 
json:"tlsCertificateSecret,omitempty"`
        // The TLS certificate key contents.
        //
-       // Refer to the OpenShift documentation for additional information.
+       // Refer to the OpenShift route documentation for additional 
information.
        TLSKey string `property:"tls-key" json:"tlsKey,omitempty"`
-       // The TLS cert authority certificate contents.
+       // The secret name and key reference to the TLS certificate key. The 
format is "secret-name[/key-name]", the value represents the secret name, if 
there is only one key in the secret it will be read, otherwise you can set a 
key name separated with a "/".
+       //
+       // Refer to the OpenShift route documentation for additional 
information.
+       TLSKeySecret string `property:"tls-key-secret" 
json:"tlsKeySecret,omitempty"`
+       // The TLS CA certificate contents.
        //
-       // Refer to the OpenShift documentation for additional information.
+       // Refer to the OpenShift route documentation for additional 
information.
        TLSCACertificate string `property:"tls-ca-certificate" 
json:"tlsCACertificate,omitempty"`
+       // The secret name and key reference to the TLS CA certificate. The 
format is "secret-name[/key-name]", the value represents the secret name, if 
there is only one key in the secret it will be read, otherwise you can set a 
key name separated with a "/".
+       //
+       // Refer to the OpenShift route documentation for additional 
information.
+       TLSCACertificateSecret string `property:"tls-ca-certificate-secret" 
json:"tlsCACertificateSecret,omitempty"`
        // The destination CA certificate provides the contents of the ca 
certificate of the final destination.  When using reencrypt
        // termination this file should be provided in order to have routers 
use it for health checks on the secure connection.
        // If this field is not specified, the router may provide its own 
destination CA and perform hostname validation using
        // the short service name (service.namespace.svc), which allows 
infrastructure generated certificates to automatically
        // verify.
        //
-       // Refer to the OpenShift documentation for additional information.
+       // Refer to the OpenShift route documentation for additional 
information.
        TLSDestinationCACertificate string 
`property:"tls-destination-ca-certificate" 
json:"tlsDestinationCACertificate,omitempty"`
+       // The secret name and key reference to the destination CA certificate. 
The format is "secret-name[/key-name]", the value represents the secret name, 
if there is only one key in the secret it will be read, otherwise you can set a 
key name separated with a "/".
+       //
+       // Refer to the OpenShift route documentation for additional 
information.
+       TLSDestinationCACertificateSecret string 
`property:"tls-destination-ca-certificate-secret" 
json:"tlsDestinationCACertificateSecret,omitempty"`
        // To configure how to deal with insecure traffic, e.g. `Allow`, 
`Disable` or `Redirect` traffic.
        //
-       // Refer to the OpenShift documentation for additional information.
+       // Refer to the OpenShift route documentation for additional 
information.
        TLSInsecureEdgeTerminationPolicy string 
`property:"tls-insecure-edge-termination-policy" 
json:"tlsInsecureEdgeTerminationPolicy,omitempty"`
 
        service *corev1.Service
@@ -122,6 +148,10 @@ func (t *routeTrait) Apply(e *Environment) error {
                servicePortName = dt.(*containerTrait).ServicePortName
        }
 
+       tlsConfig, err := t.getTLSConfig()
+       if err != nil {
+               return err
+       }
        route := routev1.Route{
                TypeMeta: metav1.TypeMeta{
                        Kind:       "Route",
@@ -143,7 +173,7 @@ func (t *routeTrait) Apply(e *Environment) error {
                                Name: t.service.Name,
                        },
                        Host: t.Host,
-                       TLS:  t.getTLSConfig(),
+                       TLS:  tlsConfig,
                },
        }
 
@@ -174,19 +204,83 @@ func (t *routeTrait) Apply(e *Environment) error {
        return nil
 }
 
-func (t *routeTrait) getTLSConfig() *routev1.TLSConfig {
+func (t *routeTrait) getTLSConfig() (*routev1.TLSConfig, error) {
+       // a certificate is a multiline text, but to set it as value in a 
single line in CLI, the user must escape the new line character as \\n
+       // but in the TLS configuration, the certificates should be a multiline 
string
+       // then we need to replace the incoming escaped new lines \\n for a 
real new line \n
+       key := strings.ReplaceAll(t.TLSKey, "\\n", "\n")
+       certificate := strings.ReplaceAll(t.TLSCertificate, "\\n", "\n")
+       CACertificate := strings.ReplaceAll(t.TLSCACertificate, "\\n", "\n")
+       destinationCAcertificate := 
strings.ReplaceAll(t.TLSDestinationCACertificate, "\\n", "\n")
+       var err error
+       if t.TLSKeySecret != "" {
+               key, err = t.readContentIfExists(t.TLSKeySecret)
+               if err != nil {
+                       return nil, err
+               }
+       }
+       if t.TLSCertificateSecret != "" {
+               certificate, err = t.readContentIfExists(t.TLSCertificateSecret)
+               if err != nil {
+                       return nil, err
+               }
+       }
+       if t.TLSCACertificateSecret != "" {
+               CACertificate, err = 
t.readContentIfExists(t.TLSCACertificateSecret)
+               if err != nil {
+                       return nil, err
+               }
+       }
+       if t.TLSDestinationCACertificateSecret != "" {
+               destinationCAcertificate, err = 
t.readContentIfExists(t.TLSDestinationCACertificateSecret)
+               if err != nil {
+                       return nil, err
+               }
+       }
+
        config := routev1.TLSConfig{
                Termination:                   
routev1.TLSTerminationType(t.TLSTermination),
-               Certificate:                   t.TLSCertificate,
-               Key:                           t.TLSKey,
-               CACertificate:                 t.TLSCACertificate,
-               DestinationCACertificate:      t.TLSDestinationCACertificate,
+               Key:                           key,
+               Certificate:                   certificate,
+               CACertificate:                 CACertificate,
+               DestinationCACertificate:      destinationCAcertificate,
                InsecureEdgeTerminationPolicy: 
routev1.InsecureEdgeTerminationPolicyType(t.TLSInsecureEdgeTerminationPolicy),
        }
 
        if reflect.DeepEqual(config, routev1.TLSConfig{}) {
-               return nil
+               return nil, nil
        }
 
-       return &config
+       return &config, nil
 }
+
+func (t *routeTrait) readContentIfExists(secretName string) (string, error) {
+       key := ""
+       strs := strings.Split(secretName, "/")
+       if len(strs) > 1 {
+               secretName = strs[0]
+               key = strs[1]
+       }
+
+       secret := kubernetes.LookupSecret(t.Ctx, t.Client, t.service.Namespace, 
secretName)
+       if secret == nil {
+               return "", fmt.Errorf("%s secret not found in %s namespace, 
make sure to provide it before the Integration can run", secretName, 
t.service.Namespace)
+       }
+       if len(secret.Data) > 1 && len(key) == 0 {
+               return "", fmt.Errorf("secret %s contains multiple data keys, 
but no key was provided", secretName)
+       }
+       if len(secret.Data) == 1 && len(key) == 0 {
+               for _, value := range secret.Data {
+                       content := string(value)
+                       return content, nil
+               }
+       }
+       if len(key) > 0 {
+               content := string(secret.Data[key])
+               if len(content) == 0 {
+                       return "", fmt.Errorf("Could not find key %s in secret 
%s in namespace %s", key, secretName, t.service.Namespace)
+               }
+               return content, nil
+       }
+       return "", nil
+}
\ No newline at end of file
diff --git a/pkg/trait/route_test.go b/pkg/trait/route_test.go
index 764fedc..fe3f153 100644
--- a/pkg/trait/route_test.go
+++ b/pkg/trait/route_test.go
@@ -35,13 +35,105 @@ import (
        "github.com/apache/camel-k/pkg/util/test"
 )
 
+const (
+       host = "my-host1"
+       key  = `-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKulUTZ8B1qccZ8c
+DXRGSY08gW8KvLlcxxxGC4gZHNT3CBUF8n5R4KE30aZyYZ/rtsQZu05juZJxaJ0q
+mbe75dlQ5d+Xc9BMXeQg/MpTZw5TAN7OIdGYYpFBe+1PLZ6wEfjkYrMqMUcfq2Lq
+hTLdAbvBJnuRcYZLqmBeOQ8FTrKrAgMBAAECgYEAnkHRbEPU3/WISSQrP36iyCb2
+S/SBZwKkzmvCrBxDWhPeDswp9c/2JY76rNWfLzy8iXgUG8WUzvHje61Qh3gmBcKe
+bUaTGl4Vy8Ha1YBADo5RfRrdm0FE4tvgvu/TkqFqpBBZweu54285hk5zlG7n/D7Y
+dnNXUpu5MlNb5x3gW0kCQQDUL//cwcXUxY/evaJP4jSe+ZwEQZo+zXRLiPUulBoV
+aw28CVMuxdgwqAo1X1IKefPeUaf7RQu8gCKaRnpGuEuXAkEAzxZTfMmvmCUDIew4
+5Gk6bK265XQWdhcgiq254lpBGOYmDj9yCE7yA+zmASQwMsXTdQOi1hOCEyrXuSJ5
+c++EDQJAFh3WrnzoEPByuYXMmET8tSFRWMQ5vpgNqh3haHR5b4gUC2hxaiunCBNL
+1RpVY9AoUiDywGcG/SPh93CnKB3niwJBAKP7AtsifZgVXtiizB4aMThTjVYaSZrz
+D0Kg9DuHylpkDChmFu77TGrNUQgAVuYtfhb/bRblVa/F0hJ4eQHT3JUCQBVT68tb
+OgRUk0aP9tC3021VN82X6+klowSQN8oBPX8+TfDWSUilp/+j24Hky+Z29Do7yR/R
+qutnL92CvBlVLV4=
+-----END PRIVATE KEY-----
+`
+       cert = `-----BEGIN CERTIFICATE-----
+MIIBajCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+-----END CERTIFICATE-----
+`
+       caCert = `-----BEGIN CERTIFICATE-----
+BLAajCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+-----END CERTIFICATE-----
+`
+       destinationCaCert = `-----BEGIN CERTIFICATE-----
+FOOBARCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+-----END CERTIFICATE-----
+`
+
+       tlsKeySecretName        = "tls-test"
+       tlsKeySecretOnlyKeyName = "tls.key"
+       tlsKeySecretKeyName     = tlsKeySecretName + "/" + 
tlsKeySecretOnlyKeyName
+
+       tlsMultipleSecretsName     = "tls-multiple-test"
+       tlsMultipleSecretsCert1Key = "cert1.crt"
+       tlsMultipleSecretsCert2Key = "cert2.crt"
+       tlsMultipleSecretsCert3Key = "cert3.crt"
+)
+
 func createTestRouteEnvironment(t *testing.T, name string) *Environment {
        catalog, err := camel.DefaultCatalog()
        assert.Nil(t, err)
-
+       client, _ := test.NewFakeClient(
+               &corev1.Secret{
+                       TypeMeta: metav1.TypeMeta{
+                               APIVersion: "v1",
+                               Kind:       "Secret",
+                       },
+                       ObjectMeta: metav1.ObjectMeta{
+                               Namespace: "test-ns",
+                               Name:      tlsKeySecretName,
+                       },
+                       Data: map[string][]byte{
+                               tlsKeySecretOnlyKeyName: []byte(key),
+                       },
+               },
+               &corev1.Secret{
+                       TypeMeta: metav1.TypeMeta{
+                               APIVersion: "v1",
+                               Kind:       "Secret",
+                       },
+                       ObjectMeta: metav1.ObjectMeta{
+                               Namespace: "test-ns",
+                               Name:      tlsMultipleSecretsName,
+                       },
+                       Data: map[string][]byte{
+                               tlsMultipleSecretsCert1Key: []byte(cert),
+                               tlsMultipleSecretsCert2Key: []byte(caCert),
+                               tlsMultipleSecretsCert3Key: 
[]byte(destinationCaCert),
+                       },
+               },
+       )
        res := &Environment{
                CamelCatalog: catalog,
-               Catalog:      NewCatalog(context.TODO(), nil),
+               Catalog:      NewCatalog(context.TODO(), client),
                Integration: &v1.Integration{
                        ObjectMeta: metav1.ObjectMeta{
                                Name:      name,
@@ -154,14 +246,14 @@ func TestRoute_Configure_IntegrationKitOnly(t *testing.T) 
{
        assert.Nil(t, err)
 }
 
-func TestRoute_TLS(t *testing.T) {
+func TestRoute_Host(t *testing.T) {
        name := xid.New().String()
        environment := createTestRouteEnvironment(t, name)
        traitsCatalog := environment.Catalog
 
        environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
                "route": test.TraitSpecFromMap(t, map[string]interface{}{
-                       "tlsTermination": string(routev1.TLSTerminationEdge),
+                       "host": host,
                }),
        }
 
@@ -176,8 +268,229 @@ func TestRoute_TLS(t *testing.T) {
        })
 
        assert.NotNil(t, route)
+       assert.Equal(t, host, route.Spec.Host)
+       assert.Nil(t, route.Spec.TLS)
+}
+
+func TestRoute_TLS_From_Secret_reencrypt(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":                    
string(routev1.TLSTerminationReencrypt),
+                       "host":                              host,
+                       "tlsKeySecret":                      tlsKeySecretName,
+                       "tlsCertificateSecret":              
tlsMultipleSecretsName + "/" + tlsMultipleSecretsCert1Key,
+                       "tlsCACertificateSecret":            
tlsMultipleSecretsName + "/" + tlsMultipleSecretsCert2Key,
+                       "tlsDestinationCACertificateSecret": 
tlsMultipleSecretsName + "/" + tlsMultipleSecretsCert3Key,
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       assert.Nil(t, err)
+       assert.NotEmpty(t, environment.ExecutedTraits)
+       assert.NotNil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       assert.NotNil(t, route)
+       assert.NotNil(t, route.Spec.TLS)
+       assert.Equal(t, routev1.TLSTerminationReencrypt, 
route.Spec.TLS.Termination)
+       assert.Equal(t, key, route.Spec.TLS.Key)
+       assert.Equal(t, host, route.Spec.Host)
+       assert.Equal(t, cert, route.Spec.TLS.Certificate)
+       assert.Equal(t, caCert, route.Spec.TLS.CACertificate)
+       assert.Equal(t, destinationCaCert, 
route.Spec.TLS.DestinationCACertificate)
+}
+
+func TestRoute_TLS_wrong_secret(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":                    
string(routev1.TLSTerminationReencrypt),
+                       "host":                              host,
+                       "tlsKeySecret":                      "foo",
+                       "tlsCertificateSecret":              "bar",
+                       "tlsCACertificateSecret":            "test",
+                       "tlsDestinationCACertificateSecret": "404",
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       // there must be errors as the trait has wrong configuration
+       assert.NotNil(t, err)
+       assert.Nil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       // route trait is expected to not be created
+       assert.Nil(t, route)
+}
+
+func TestRoute_TLS_secret_wrong_key(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":         
string(routev1.TLSTerminationReencrypt),
+                       "host":                   host,
+                       "tlsKeySecret":           tlsKeySecretName,
+                       "tlsCertificateSecret":   tlsMultipleSecretsName + "/" 
+ tlsMultipleSecretsCert1Key,
+                       "tlsCACertificateSecret": tlsMultipleSecretsName + 
"/foo",
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       // there must be errors as the trait has wrong configuration
+       assert.NotNil(t, err)
+       assert.Nil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       // route trait is expected to not be created
+       assert.Nil(t, route)
+}
+
+func TestRoute_TLS_secret_missing_key(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":         
string(routev1.TLSTerminationReencrypt),
+                       "host":                   host,
+                       "tlsKeySecret":           tlsKeySecretName,
+                       "tlsCertificateSecret":   tlsMultipleSecretsName + "/" 
+ tlsMultipleSecretsCert1Key,
+                       "tlsCACertificateSecret": tlsMultipleSecretsName,
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       // there must be errors as the trait has wrong configuration
+       assert.NotNil(t, err)
+       assert.Nil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       // route trait is expected to not be created
+       assert.Nil(t, route)
+}
+
+func TestRoute_TLS_reencrypt(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":              
string(routev1.TLSTerminationReencrypt),
+                       "host":                        host,
+                       "tlsKey":                      key,
+                       "tlsCertificate":              cert,
+                       "tlsCACertificate":            caCert,
+                       "tlsDestinationCACertificate": destinationCaCert,
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       assert.Nil(t, err)
+       assert.NotEmpty(t, environment.ExecutedTraits)
+       assert.NotNil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       assert.NotNil(t, route)
+       assert.NotNil(t, route.Spec.TLS)
+       assert.Equal(t, routev1.TLSTerminationReencrypt, 
route.Spec.TLS.Termination)
+       assert.Equal(t, key, route.Spec.TLS.Key)
+       assert.Equal(t, host, route.Spec.Host)
+       assert.Equal(t, cert, route.Spec.TLS.Certificate)
+       assert.Equal(t, caCert, route.Spec.TLS.CACertificate)
+       assert.Equal(t, destinationCaCert, 
route.Spec.TLS.DestinationCACertificate)
+}
+
+func TestRoute_TLS_edge(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":   string(routev1.TLSTerminationEdge),
+                       "host":             host,
+                       "tlsKey":           key,
+                       "tlsCertificate":   cert,
+                       "tlsCACertificate": caCert,
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       assert.Nil(t, err)
+       assert.NotEmpty(t, environment.ExecutedTraits)
+       assert.NotNil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       assert.NotNil(t, route)
        assert.NotNil(t, route.Spec.TLS)
        assert.Equal(t, routev1.TLSTerminationEdge, route.Spec.TLS.Termination)
+       assert.Equal(t, key, route.Spec.TLS.Key)
+       assert.Equal(t, host, route.Spec.Host)
+       assert.Equal(t, cert, route.Spec.TLS.Certificate)
+       assert.Equal(t, caCert, route.Spec.TLS.CACertificate)
+       assert.Empty(t, route.Spec.TLS.DestinationCACertificate)
+}
+
+func TestRoute_TLS_passthrough(t *testing.T) {
+       name := xid.New().String()
+       environment := createTestRouteEnvironment(t, name)
+       traitsCatalog := environment.Catalog
+
+       environment.Integration.Spec.Traits = map[string]v1.TraitSpec{
+               "route": test.TraitSpecFromMap(t, map[string]interface{}{
+                       "tlsTermination":                   
string(routev1.TLSTerminationPassthrough),
+                       "host":                             host,
+                       "tlsInsecureEdgeTerminationPolicy": 
routev1.InsecureEdgeTerminationPolicyAllow,
+               }),
+       }
+       err := traitsCatalog.apply(environment)
+
+       assert.Nil(t, err)
+       assert.NotEmpty(t, environment.ExecutedTraits)
+       assert.NotNil(t, environment.GetTrait("route"))
+
+       route := environment.Resources.GetRoute(func(r *routev1.Route) bool {
+               return r.ObjectMeta.Name == name
+       })
+
+       assert.NotNil(t, route)
+       assert.NotNil(t, route.Spec.TLS)
+       assert.Equal(t, routev1.TLSTerminationPassthrough, 
route.Spec.TLS.Termination)
+       assert.Equal(t, host, route.Spec.Host)
+       assert.Equal(t, routev1.InsecureEdgeTerminationPolicyAllow, 
route.Spec.TLS.InsecureEdgeTerminationPolicy)
+       assert.Empty(t, route.Spec.TLS.Certificate)
+       assert.Empty(t, route.Spec.TLS.CACertificate)
+       assert.Empty(t, route.Spec.TLS.DestinationCACertificate)
 }
 
 func TestRoute_WithCustomServicePort(t *testing.T) {
diff --git a/pkg/util/openshift/register.go b/pkg/util/openshift/register.go
index 1687b1f..b7af756 100644
--- a/pkg/util/openshift/register.go
+++ b/pkg/util/openshift/register.go
@@ -23,6 +23,7 @@ import (
        apps "github.com/openshift/api/apps/v1"
        authorization "github.com/openshift/api/authorization/v1"
        build "github.com/openshift/api/build/v1"
+       config "github.com/openshift/api/config/v1"
        console "github.com/openshift/api/console/v1"
        image "github.com/openshift/api/image/v1"
        project "github.com/openshift/api/project/v1"
@@ -46,6 +47,7 @@ func AddToScheme(scheme *runtime.Scheme) error {
        err = doAdd(build.Install, scheme, err)
        err = doAdd(authorization.Install, scheme, err)
        err = doAdd(project.Install, scheme, err)
+       err = doAdd(config.Install, scheme, err)
 
        // OpenShift console API
        err = doAdd(console.Install, scheme, err)

Reply via email to