Use the ingress domain for the tls secret

**What** - Change the name of the TLS secret to use the domain name. This allows multiple functions to use the same secret instead of creating multiple secrets. This reduces the complexity for REST style APIs that need multiple paths corresponding to multiple Funcions and FunctionIngress on the same domain. Signed-off-by: Lucas Roesler <[email protected]>
openfaas · Nov 1, 2020 · df2332d · df2332d
1 parent f627c24
commit df2332d
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 3 deletions.
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -468,9 +468,11 @@ func makeTLS(fni *faasv1.FunctionIngress) []v1beta1.IngressTLS {
 	if !fni.Spec.UseTLS() {
 		return []v1beta1.IngressTLS{}
 	}
+
+
 	return []v1beta1.IngressTLS{
 		v1beta1.IngressTLS{
-			SecretName: fni.ObjectMeta.Name + "-cert",
+			SecretName: fni.Spec.Domain + "-cert",
 			Hosts: []string{
 				fni.Spec.Domain,
 			},
@@ -494,11 +496,9 @@ func getIssuerKind(issuerType string) string {
 	switch issuerType {
 	case "ClusterIssuer":
 		return "cert-manager.io/cluster-issuer"
-		break
 	default:
 		return "cert-manager.io/issuer"
 	}
-	return "cert-manager.io/issuer"
 }
 
 func makeAnnotations(fni *faasv1.FunctionIngress) map[string]string {

diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go
@@ -1,8 +1,10 @@
 package controller
 
 import (
+	"reflect"
 	"testing"
 
+	v1beta1 "k8s.io/api/networking/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	faasv1 "github.com/openfaas-incubator/ingress-operator/pkg/apis/openfaas/v1alpha2"
@@ -277,3 +279,50 @@ func Test_makeRules_Traefik_NestedPath_TrimsRegex_And_TrailingSlash(t *testing.T
 		t.Errorf("want path %s, but got %s", wantPath, gotPath)
 	}
 }
+
+func Test_makTLS(t *testing.T) {
+
+	cases := []struct {
+		name     string
+		fni      *faasv1.FunctionIngress
+		expected []v1beta1.IngressTLS
+	}{
+		{
+			name:     "tls disabled results in empty tls config",
+			fni:      &faasv1.FunctionIngress{Spec: faasv1.FunctionIngressSpec{TLS: &faasv1.FunctionIngressTLS{Enabled: false}}},
+			expected: []v1beta1.IngressTLS{},
+		},
+		{
+			name: "tls enabled creates TLS object with correct host and secret with matching the host",
+			fni: &faasv1.FunctionIngress{
+				Spec: faasv1.FunctionIngressSpec{
+					Domain: "foo.example.com",
+					TLS: &faasv1.FunctionIngressTLS{
+						Enabled: true,
+						IssuerRef: faasv1.ObjectReference{
+							Name:"test-issuer",
+							Kind: "ClusterIssuer",
+						},
+					},
+				},
+			},
+			expected: []v1beta1.IngressTLS{
+				{
+					SecretName: "foo.example.com-cert",
+					Hosts: []string{
+						"foo.example.com",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := makeTLS(tc.fni)
+			if !reflect.DeepEqual(tc.expected, got) {
+				t.Fatalf("want tls config %v, got %v", tc.expected, got)
+			}
+		})
+	}
+}