simplification

Signed-off-by: Jan Wozniak <[email protected]>
kedacore · Aug 26, 2024 · f22b33c · f22b33c
1 parent 378388b
commit f22b33c
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 224 deletions.
diff --git a/config/interceptor/e2e-test/tls/deployment.yaml b/config/interceptor/e2e-test/tls/deployment.yaml
@@ -18,13 +18,21 @@ spec:
           value: "/certs/tls.crt"
         - name: KEDA_HTTP_PROXY_TLS_KEY_PATH
           value: "/certs/tls.key"
+        - name: KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS
+          value: "/additional-certs"
         - name: KEDA_HTTP_PROXY_TLS_PORT
           value: "8443"
         volumeMounts:
           - readOnly: true
             mountPath: "/certs"
             name: certs
+          - readOnly: true
+            mountPath: "/additional-certs/abc-certs"
+            name: abc-certs
       volumes:
         - name: certs
           secret:
             secretName: keda-tls
+        - name: abc-certs
+          secret:
+            secretName: abc-certs
diff --git a/interceptor/main.go b/interceptor/main.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"golang.org/x/exp/maps"
 	"golang.org/x/sync/errgroup"
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -235,18 +236,18 @@ func runMetricsServer(
 }
 
 // addCert adds a certificate to the map of certificates based on the certificate's SANs
-func addCert(m map[string]tls.Certificate, certPath, keyPath string, logger logr.Logger) error {
+func addCert(m map[string]tls.Certificate, certPath, keyPath string, logger logr.Logger) (*tls.Certificate, error) {
 	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
 	if err != nil {
-		return fmt.Errorf("error loading certificate and key: %w", err)
+		return nil, fmt.Errorf("error loading certificate and key: %w", err)
 	}
 	if cert.Leaf == nil {
 		if len(cert.Certificate) == 0 {
-			return fmt.Errorf("no certificate found in certificate chain")
+			return nil, fmt.Errorf("no certificate found in certificate chain")
 		}
 		cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
 		if err != nil {
-			return fmt.Errorf("error parsing certificate: %w", err)
+			return nil, fmt.Errorf("error parsing certificate: %w", err)
 		}
 	}
 	for _, d := range cert.Leaf.DNSNames {
@@ -261,21 +262,24 @@ func addCert(m map[string]tls.Certificate, certPath, keyPath string, logger logr
 		logger.Info("adding certificate", "uri", uri.String())
 		m[uri.String()] = cert
 	}
-	return nil
+	return &cert, nil
 }
 
 // makeCertGetter creates a function that returns a certificate based on the server name
 // The matching between request and certificate is performed by comparing TLS/SNI server name with x509 SANs
-func makeCertGetter(tlsConfig map[string]string, logger logr.Logger) (func(*tls.ClientHelloInfo) (*tls.Certificate, error), error) {
+func makeCertGetter(tlsConfig map[string]string, logger logr.Logger) (func(*tls.ClientHelloInfo) (*tls.Certificate, error), []tls.Certificate, error) {
 	certPath := tlsConfig["certificatePath"]
 	keyPath := tlsConfig["keyPath"]
 	certStorePaths := tlsConfig["certstorePaths"]
+	var defaultCert *tls.Certificate
 
 	uriDomainsToCerts := make(map[string]tls.Certificate)
 	if certPath != "" && keyPath != "" {
-		if err := addCert(uriDomainsToCerts, certPath, keyPath, logger); err != nil {
-			return nil, fmt.Errorf("error adding certificate and key: %w", err)
+		cert, err := addCert(uriDomainsToCerts, certPath, keyPath, logger)
+		if err != nil {
+			return nil, nil, fmt.Errorf("error adding certificate and key: %w", err)
 		}
+		defaultCert = cert
 	}
 
 	if certStorePaths != "" {
@@ -307,18 +311,18 @@ func makeCertGetter(tlsConfig map[string]string, logger logr.Logger) (func(*tls.
 				return nil
 			})
 			if err != nil {
-				return nil, fmt.Errorf("error walking certificate store: %w", err)
+				return nil, nil, fmt.Errorf("error walking certificate store: %w", err)
 			}
 		}
 
 		for certID, certPath := range certFiles {
 			logger.Info("adding certificate", "certID", certID, "certPath", certPath)
 			keyPath, ok := keyFiles[certID]
 			if !ok {
-				return nil, fmt.Errorf("no key found for certificate %s", certPath)
+				return nil, nil, fmt.Errorf("no key found for certificate %s", certPath)
 			}
-			if err := addCert(uriDomainsToCerts, certPath, keyPath, logger); err != nil {
-				return nil, fmt.Errorf("error adding certificate %s: %w", certPath, err)
+			if _, err := addCert(uriDomainsToCerts, certPath, keyPath, logger); err != nil {
+				return nil, nil, fmt.Errorf("error adding certificate %s: %w", certPath, err)
 			}
 		}
 	}
@@ -327,8 +331,11 @@ func makeCertGetter(tlsConfig map[string]string, logger logr.Logger) (func(*tls.
 		if cert, ok := uriDomainsToCerts[hello.ServerName]; ok {
 			return &cert, nil
 		}
+		if defaultCert != nil {
+			return defaultCert, nil
+		}
 		return nil, fmt.Errorf("no certificate found for %s", hello.ServerName)
-	}, nil
+	}, maps.Values(uriDomainsToCerts), nil
 }
 
 func runProxyServer(
@@ -352,12 +359,13 @@ func runProxyServer(
 
 	tlsCfg := tls.Config{}
 	if tlsEnabled {
-		certGetter, err := makeCertGetter(tlsConfig, logger)
+		certGetter, defaultCert, err := makeCertGetter(tlsConfig, logger)
 		if err != nil {
 			logger.Error(fmt.Errorf("error creating certGetter for proxy server"), "error", err)
 			os.Exit(1)
 		}
 		tlsCfg.GetCertificate = certGetter
+		tlsCfg.Certificates = defaultCert
 	}
 
 	var upstreamHandler http.Handler

diff --git a/tests/checks/interceptor_multi_tls/interceptor_multi_tls_test.go b/tests/checks/interceptor_multi_tls/interceptor_multi_tls_test.go
diff --git a/tests/checks/interceptor_tls/interceptor_tls_test.go b/tests/checks/interceptor_tls/interceptor_tls_test.go
@@ -170,14 +170,15 @@ func TestInterceptorTLS(t *testing.T) {
 	sendRequest(t)
 
 	// cleanup
-	DeleteKubernetesResources(t, testNamespace, data, templates)
+	//DeleteKubernetesResources(t, testNamespace, data, templates)
 }
 
 func sendRequest(t *testing.T) {
 	t.Log("--- sending request ---")
 
-	stdout, _, err := ExecCommandOnSpecificPod(t, clientName, testNamespace, fmt.Sprintf("curl -k --resolve %v:8443:keda-http-add-on-interceptor-proxy.keda https://%v:8443/echo?msg=tls_test", host, host))
-	require.NoErrorf(t, err, "could not run command on test client pod - %s", err)
+	cmd := fmt.Sprintf("curl -k -H 'Host: %s' https://keda-http-add-on-interceptor-proxy.keda:8443/echo?msg=tls_test", host)
+	stdout, stderr, err := ExecCommandOnSpecificPod(t, clientName, testNamespace, cmd)
+	require.NoErrorf(t, err, "could not run command %q on test client pod - %s\nstdout:\n%s\nstderr:\n%s", cmd, err, stdout, stderr)
 
 	assert.Equal(t, "tls_test", stdout, fmt.Sprintf("incorrect response body from test request: expected %s, got %s", "tls_test", stdout))
 }

diff --git a/tests/utils/setup_test.go b/tests/utils/setup_test.go
@@ -251,6 +251,9 @@ func TestSetupTLSConfiguration(t *testing.T) {
 
 	_, err = ExecuteCommand("kubectl -n keda create secret tls keda-tls --cert ../../certs/tls.crt --key ../../certs/tls.key")
 	require.NoErrorf(t, err, "could not create tls cert secret in keda namespace - %s", err)
+
+	_, err = ExecuteCommand("kubectl -n keda create secret tls abc-certs --cert ../../certs/abc.tls.crt --key ../../certs/abc.tls.key")
+	require.NoErrorf(t, err, "could not create tls cert secret in keda namespace - %s", err)
 }
 
 func TestDeployKEDAHttpAddOn(t *testing.T) {