From 2d87bf7a08450ad87ba082678dff24c40841501b Mon Sep 17 00:00:00 2001 From: dprotaso Date: Thu, 19 Jan 2023 16:17:19 -0500 Subject: [PATCH 01/11] test net-certmanager changes --- .../cert-manager-latest/net-certmanager.yaml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/third_party/cert-manager-latest/net-certmanager.yaml b/third_party/cert-manager-latest/net-certmanager.yaml index 5792eb72bfc4..a2b810d419de 100644 --- a/third_party/cert-manager-latest/net-certmanager.yaml +++ b/third_party/cert-manager-latest/net-certmanager.yaml @@ -19,7 +19,7 @@ metadata: name: knative-serving-certmanager labels: app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving serving.knative.dev/controller: "true" networking.knative.dev/certificate-provider: cert-manager @@ -52,7 +52,7 @@ metadata: name: config.webhook.net-certmanager.networking.internal.knative.dev labels: app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager webhooks: @@ -93,7 +93,7 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager @@ -119,7 +119,7 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager data: @@ -168,7 +168,7 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager spec: @@ -182,7 +182,7 @@ spec: labels: app: net-certmanager-controller app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving spec: serviceAccountName: controller @@ -190,7 +190,7 @@ spec: - name: controller # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/controller@sha256:61651eca0cbf2ab83ccdb2d64f98bee041b2869008b9e86c41714311ecdadda5 + image: gcr.io/pivotal-knative/dave/controller-b5455ad1ba7b683d126966c08026cd15@sha256:5a786db6b17acc5c3e2037bda2442d85544522768deae3677d9732af4aef9572 resources: requests: cpu: 30m @@ -229,7 +229,7 @@ metadata: labels: app: net-certmanager-controller app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager name: net-certmanager-controller @@ -268,7 +268,7 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager spec: @@ -283,7 +283,7 @@ spec: labels: app: net-certmanager-webhook app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving role: net-certmanager-webhook spec: @@ -292,7 +292,7 @@ spec: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/webhook@sha256:2f65e85b9cf2d8a10507c1fc02333ca00350864235d4bfab1dc28c7a8d2e61a2 + image: gcr.io/pivotal-knative/dave/webhook-29139c5ce1fe7007906a2b725aaa018b@sha256:dca6101881eec45ce0fc293efccec3dbe17c9a1e621073cd92bab9fdf366c84a resources: requests: cpu: 20m @@ -356,7 +356,7 @@ metadata: labels: role: net-certmanager-webhook app.kubernetes.io/component: net-certmanager - app.kubernetes.io/version: "20230123-cce02568" + app.kubernetes.io/version: devel app.kubernetes.io/name: knative-serving networking.knative.dev/certificate-provider: cert-manager spec: From 956c996fcdb0d9bf28f0ba5766d6825d69992763 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Thu, 19 Jan 2023 21:07:43 -0500 Subject: [PATCH 02/11] use a long domain name --- test/e2e/autotls/auto_tls_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e/autotls/auto_tls_test.go b/test/e2e/autotls/auto_tls_test.go index 5750393402f0..fcb2d789c128 100644 --- a/test/e2e/autotls/auto_tls_test.go +++ b/test/e2e/autotls/auto_tls_test.go @@ -94,6 +94,7 @@ func testAutoTLS(t *testing.T) { if len(env.TLSServiceName) != 0 { names.Service = env.TLSServiceName } + names.Service = names.Service + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" test.EnsureTearDown(t, clients, &names) objects, err := v1test.CreateServiceReady(t, clients, &names) From 9fe21638b1261f5a75b0166897c637edec49be95 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 20 Jan 2023 07:49:20 -0500 Subject: [PATCH 03/11] make service name < 63 --- test/e2e/autotls/auto_tls_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e/autotls/auto_tls_test.go b/test/e2e/autotls/auto_tls_test.go index fcb2d789c128..dbb4750bd2f7 100644 --- a/test/e2e/autotls/auto_tls_test.go +++ b/test/e2e/autotls/auto_tls_test.go @@ -95,6 +95,7 @@ func testAutoTLS(t *testing.T) { names.Service = env.TLSServiceName } names.Service = names.Service + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + names.Service = names.Service[:62] test.EnsureTearDown(t, clients, &names) objects, err := v1test.CreateServiceReady(t, clients, &names) From b8fef20d725c2909f738bc4ada18412ae646be50 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 20 Jan 2023 10:36:56 -0500 Subject: [PATCH 04/11] skip cleanup on failure autotls --- test/e2e-auto-tls-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e-auto-tls-tests.sh b/test/e2e-auto-tls-tests.sh index 861921069974..a7d717329f50 100755 --- a/test/e2e-auto-tls-tests.sh +++ b/test/e2e-auto-tls-tests.sh @@ -175,7 +175,7 @@ if [[ -z "${INGRESS_CLASS}" \ alpha="--enable-alpha" fi -AUTO_TLS_TEST_OPTIONS="${AUTO_TLS_TEST_OPTIONS:-${alpha} --enable-beta}" +AUTO_TLS_TEST_OPTIONS="${AUTO_TLS_TEST_OPTIONS:-${alpha} --enable-beta -skip-cleanup-on-fail}" # Auto TLS E2E tests mutate the cluster and must be ran separately # because they need auto-tls and cert-manager specific configurations From 4abdcfdf50ab0a7f9ef28554f8cd7dbcd7a6c8ce Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 20 Jan 2023 11:26:42 -0500 Subject: [PATCH 05/11] fix domain name length --- test/e2e/autotls/auto_tls_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/autotls/auto_tls_test.go b/test/e2e/autotls/auto_tls_test.go index dbb4750bd2f7..02196a3e74f1 100644 --- a/test/e2e/autotls/auto_tls_test.go +++ b/test/e2e/autotls/auto_tls_test.go @@ -95,7 +95,7 @@ func testAutoTLS(t *testing.T) { names.Service = env.TLSServiceName } names.Service = names.Service + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - names.Service = names.Service[:62] + names.Service = names.Service[:60] test.EnsureTearDown(t, clients, &names) objects, err := v1test.CreateServiceReady(t, clients, &names) From a5a888da731ab4efe41a346afb6df30d7fb2d210 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 20 Jan 2023 11:56:57 -0500 Subject: [PATCH 06/11] run HTTP01 tests --- test/e2e-auto-tls-tests.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e-auto-tls-tests.sh b/test/e2e-auto-tls-tests.sh index a7d717329f50..1fd6dfd3526b 100755 --- a/test/e2e-auto-tls-tests.sh +++ b/test/e2e-auto-tls-tests.sh @@ -194,14 +194,14 @@ add_trap "cleanup_per_selfsigned_namespace_auto_tls" SIGKILL SIGTERM SIGQUIT go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 cleanup_per_selfsigned_namespace_auto_tls -if [[ ${RUN_HTTP01_AUTO_TLS_TESTS} -eq 1 ]]; then +# if [[ ${RUN_HTTP01_AUTO_TLS_TESTS} -eq 1 ]]; then subheader "Auto TLS test for per-ksvc certificate provision using HTTP01 challenge" setup_http01_auto_tls add_trap "delete_dns_record" SIGKILL SIGTERM SIGQUIT go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/http01/ delete_dns_record -fi +# fi (( failed )) && fail_test From f4bf85a393bad974d71db7071e303d962ae3a02d Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 20 Jan 2023 15:19:55 -0500 Subject: [PATCH 07/11] run only http01 tests --- test/e2e-auto-tls-tests.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/test/e2e-auto-tls-tests.sh b/test/e2e-auto-tls-tests.sh index 1fd6dfd3526b..968d5b03a7d6 100755 --- a/test/e2e-auto-tls-tests.sh +++ b/test/e2e-auto-tls-tests.sh @@ -183,16 +183,16 @@ subheader "Setup auto tls" setup_auto_tls_common add_trap "cleanup_auto_tls_common" EXIT SIGKILL SIGTERM SIGQUIT -subheader "Auto TLS test for per-ksvc certificate provision using self-signed CA" -setup_selfsigned_per_ksvc_auto_tls -go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 -kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/ - -subheader "Auto TLS test for per-namespace certificate provision using self-signed CA" -setup_selfsigned_per_namespace_auto_tls -add_trap "cleanup_per_selfsigned_namespace_auto_tls" SIGKILL SIGTERM SIGQUIT -go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 -cleanup_per_selfsigned_namespace_auto_tls +# subheader "Auto TLS test for per-ksvc certificate provision using self-signed CA" +# setup_selfsigned_per_ksvc_auto_tls +# go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 +# kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/ + +# subheader "Auto TLS test for per-namespace certificate provision using self-signed CA" +# setup_selfsigned_per_namespace_auto_tls +# add_trap "cleanup_per_selfsigned_namespace_auto_tls" SIGKILL SIGTERM SIGQUIT +# go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 +# cleanup_per_selfsigned_namespace_auto_tls # if [[ ${RUN_HTTP01_AUTO_TLS_TESTS} -eq 1 ]]; then subheader "Auto TLS test for per-ksvc certificate provision using HTTP01 challenge" From 6176fbf4eb0f2815a1788c9c0e8235bc2d0999e1 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 20 Jan 2023 16:08:17 -0500 Subject: [PATCH 08/11] don't delete the cluster issuer + debugging --- test/e2e-auto-tls-tests.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/test/e2e-auto-tls-tests.sh b/test/e2e-auto-tls-tests.sh index 968d5b03a7d6..858d31f68c9e 100755 --- a/test/e2e-auto-tls-tests.sh +++ b/test/e2e-auto-tls-tests.sh @@ -72,12 +72,13 @@ function setup_auto_tls_common() { } function cleanup_auto_tls_common() { - cleanup_custom_domain + true + # cleanup_custom_domain - toggle_feature autoTLS Disabled config-network - toggle_feature autocreateClusterDomainClaims false config-network - toggle_feature namespace-wildcard-cert-selector "" config-network - kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}" + # toggle_feature autoTLS Disabled config-network + # toggle_feature autocreateClusterDomainClaims false config-network + # toggle_feature namespace-wildcard-cert-selector "" config-network + # kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}" } function setup_http01_auto_tls() { @@ -158,6 +159,9 @@ function delete_dns_record() { fi } + +export ENABLE_GKE_TELEMETRY=true + # Script entry point. initialize "$@" --skip-istio-addon --min-nodes=4 --max-nodes=4 --enable-ha --cluster-version=1.24 @@ -199,7 +203,6 @@ add_trap "cleanup_auto_tls_common" EXIT SIGKILL SIGTERM SIGQUIT setup_http01_auto_tls add_trap "delete_dns_record" SIGKILL SIGTERM SIGQUIT go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1 - kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/http01/ delete_dns_record # fi From 08a72af905cefced14db2085ef7074e48737d624 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 20 Jan 2023 23:26:57 -0500 Subject: [PATCH 09/11] ensure DNS record is *.{domain} --- test/e2e-auto-tls-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e-auto-tls-tests.sh b/test/e2e-auto-tls-tests.sh index 858d31f68c9e..549b36275fba 100755 --- a/test/e2e-auto-tls-tests.sh +++ b/test/e2e-auto-tls-tests.sh @@ -87,7 +87,7 @@ function setup_http01_auto_tls() { # Rely on the built-in naming (for logstream) unset TLS_SERVICE_NAME # The full host name of the Knative Service. This is used to configure the DNS record. - export AUTO_TLS_TEST_FULL_HOST_NAME="*.${TLS_TEST_NAMESPACE}.${CUSTOM_DOMAIN_SUFFIX}" + export AUTO_TLS_TEST_FULL_HOST_NAME="*.${CUSTOM_DOMAIN_SUFFIX}" kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}" From 8f7799c0aee1b1326cab5b34ca194c696677f01e Mon Sep 17 00:00:00 2001 From: dprotaso Date: Sun, 22 Jan 2023 14:08:13 -0500 Subject: [PATCH 10/11] allow challenges for hosts that don't match the route's host --- pkg/reconciler/route/resources/ingress.go | 27 ++++++++++--------- .../route/resources/ingress_test.go | 7 ++--- pkg/reconciler/route/table_test.go | 18 +++++++++++++ 3 files changed, 37 insertions(+), 15 deletions(-) diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go index f6cf82618d17..5046b486120d 100644 --- a/pkg/reconciler/route/resources/ingress.go +++ b/pkg/reconciler/route/resources/ingress.go @@ -185,8 +185,9 @@ func makeIngressSpec( } // If this is a public rule, we need to configure ACME challenge paths. if visibility == netv1alpha1.IngressVisibilityExternalIP { - rule.HTTP.Paths = append( - MakeACMEIngressPaths(acmeChallenges, domains...), rule.HTTP.Paths...) + paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains) + rule.Hosts = append(hosts, rule.Hosts...) + rule.HTTP.Paths = append(paths, rule.HTTP.Paths...) } rules = append(rules, rule) } @@ -214,7 +215,7 @@ func getChallengeHosts(challenges []netv1alpha1.HTTP01Challenge) map[string]netv return c } -func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, visibility netv1alpha1.IngressVisibility) ([]string, error) { +func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, visibility netv1alpha1.IngressVisibility) (sets.String, error) { hostname, err := domains.HostnameFromTemplate(ctx, r.Name, targetName) if err != nil { return nil, err @@ -232,18 +233,20 @@ func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, vis if isClusterLocal { domains = ingress.ExpandedHosts(sets.NewString(domains...)).List() } - return domains, err + return sets.NewString(domains...), err } // MakeACMEIngressPaths returns a set of netv1alpha1.HTTPIngressPath // that can be used to perform ACME challenges. -func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains ...string) []netv1alpha1.HTTPIngressPath { +func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains sets.String) ([]netv1alpha1.HTTPIngressPath, []string) { challenges := getChallengeHosts(acmeChallenges) + paths := make([]netv1alpha1.HTTPIngressPath, 0, len(challenges)) - for _, domain := range domains { - challenge, ok := challenges[domain] - if !ok { - continue + var extraHosts []string + + for _, challenge := range challenges { + if !domains.Has(challenge.URL.Host) { + extraHosts = append(extraHosts, challenge.URL.Host) } paths = append(paths, netv1alpha1.HTTPIngressPath{ @@ -258,16 +261,16 @@ func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains Path: challenge.URL.Path, }) } - return paths + return paths, extraHosts } -func makeIngressRule(domains []string, ns string, +func makeIngressRule(domains sets.String, ns string, visibility netv1alpha1.IngressVisibility, targets traffic.RevisionTargets, roCfgs []*traffic.ConfigurationRollout, encryption bool) netv1alpha1.IngressRule { return netv1alpha1.IngressRule{ - Hosts: domains, + Hosts: domains.List(), Visibility: visibility, HTTP: &netv1alpha1.HTTPIngressRuleValue{ Paths: []netv1alpha1.HTTPIngressPath{ diff --git a/pkg/reconciler/route/resources/ingress_test.go b/pkg/reconciler/route/resources/ingress_test.go index cc6516a3ea8c..89dd75eac635 100644 --- a/pkg/reconciler/route/resources/ingress_test.go +++ b/pkg/reconciler/route/resources/ingress_test.go @@ -26,6 +26,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/sets" "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" @@ -853,7 +854,7 @@ func TestMakeIngressSpecCorrectRulesWithTagBasedRouting(t *testing.T) { // One active target. func TestMakeIngressRuleVanilla(t *testing.T) { - domains := []string{"a.com", "b.org"} + domains := sets.NewString("a.com", "b.org") targets := traffic.RevisionTargets{{ TrafficTarget: v1.TrafficTarget{ ConfigurationName: "config", @@ -913,7 +914,7 @@ func TestMakeIngressRuleZeroPercentTarget(t *testing.T) { Percent: ptr.Int64(0), }, }} - domains := []string{"test.org"} + domains := sets.NewString("test.org") tc := &traffic.Config{ Targets: map[string]traffic.RevisionTargets{ traffic.DefaultTarget: targets, @@ -969,7 +970,7 @@ func TestMakeIngressRuleTwoTargets(t *testing.T) { }, } ro := tc.BuildRollout() - domains := []string{"test.org"} + domains := sets.NewString("test.org") rule := makeIngressRule(domains, ns, netv1alpha1.IngressVisibilityExternalIP, targets, ro.RolloutsByTag("a-tag"), false /* internal encryption */) expected := netv1alpha1.IngressRule{ diff --git a/pkg/reconciler/route/table_test.go b/pkg/reconciler/route/table_test.go index eff5454be18d..accca01c3bbb 100644 --- a/pkg/reconciler/route/table_test.go +++ b/pkg/reconciler/route/table_test.go @@ -2758,6 +2758,15 @@ func TestReconcileEnableAutoTLS(t *testing.T) { ServiceName: "cm-solver", ServicePort: intstr.FromInt(8090), ServiceNamespace: "default", + }, { + URL: &apis.URL{ + Scheme: "http", + Host: "k.example.com", + Path: "/.well-known/acme-challenge/challengeToken2", + }, + ServiceName: "cm-solver", + ServicePort: intstr.FromInt(8090), + ServiceNamespace: "default", }}, }, }, @@ -2788,6 +2797,15 @@ func TestReconcileEnableAutoTLS(t *testing.T) { ServiceName: "cm-solver", ServicePort: intstr.FromInt(8090), ServiceNamespace: "default", + }, { + URL: &apis.URL{ + Scheme: "http", + Host: "k.example.com", + Path: "/.well-known/acme-challenge/challengeToken2", + }, + ServiceName: "cm-solver", + ServicePort: intstr.FromInt(8090), + ServiceNamespace: "default", }}, ), simpleK8sService( From fafaf0dba22865a3415e10dbda8387a0f887935f Mon Sep 17 00:00:00 2001 From: dprotaso Date: Sun, 22 Jan 2023 14:38:23 -0500 Subject: [PATCH 11/11] fix domain mapping --- pkg/reconciler/domainmapping/resources/ingress.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/reconciler/domainmapping/resources/ingress.go b/pkg/reconciler/domainmapping/resources/ingress.go index d8903c9aa5d6..f9f3b287426b 100644 --- a/pkg/reconciler/domainmapping/resources/ingress.go +++ b/pkg/reconciler/domainmapping/resources/ingress.go @@ -19,6 +19,7 @@ package resources import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/sets" netapi "knative.dev/networking/pkg/apis/networking" netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1" @@ -35,6 +36,7 @@ import ( // KIngress). The created ingress will contain a RewriteHost rule to cause the // given hostName to be used as the host. func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName, ingressClass string, httpOption netv1alpha1.HTTPOption, tls []netv1alpha1.IngressTLS, acmeChallenges ...netv1alpha1.HTTP01Challenge) *netv1alpha1.Ingress { + paths, hosts := routeresources.MakeACMEIngressPaths(acmeChallenges, sets.NewString(dm.GetName())) return &netv1alpha1.Ingress{ ObjectMeta: metav1.ObjectMeta{ Name: kmeta.ChildName(dm.GetName(), ""), @@ -52,11 +54,11 @@ func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName HTTPOption: httpOption, TLS: tls, Rules: []netv1alpha1.IngressRule{{ - Hosts: []string{dm.Name}, + Hosts: append(hosts, dm.Name), Visibility: netv1alpha1.IngressVisibilityExternalIP, HTTP: &netv1alpha1.HTTPIngressRuleValue{ // The order of the paths is sensitive, always put tls challenge first - Paths: append(routeresources.MakeACMEIngressPaths(acmeChallenges, dm.GetName()), + Paths: append(paths, []netv1alpha1.HTTPIngressPath{{ RewriteHost: hostName, Splits: []netv1alpha1.IngressBackendSplit{{