[wip] test net-certmanager changes

pkg/reconciler/domainmapping/resources/ingress.go

@@ -19,6 +19,7 @@ package resources
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	netapi "knative.dev/networking/pkg/apis/networking"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
@@ -35,6 +36,7 @@ import (
 // KIngress).  The created ingress will contain a RewriteHost rule to cause the
 // given hostName to be used as the host.
 func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName, ingressClass string, httpOption netv1alpha1.HTTPOption, tls []netv1alpha1.IngressTLS, acmeChallenges ...netv1alpha1.HTTP01Challenge) *netv1alpha1.Ingress {
+	paths, hosts := routeresources.MakeACMEIngressPaths(acmeChallenges, sets.NewString(dm.GetName()))
 	return &netv1alpha1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      kmeta.ChildName(dm.GetName(), ""),
@@ -52,11 +54,11 @@ func MakeIngress(dm *servingv1alpha1.DomainMapping, backendServiceName, hostName
 			HTTPOption: httpOption,
 			TLS:        tls,
 			Rules: []netv1alpha1.IngressRule{{
-				Hosts:      []string{dm.Name},
+				Hosts:      append(hosts, dm.Name),
 				Visibility: netv1alpha1.IngressVisibilityExternalIP,
 				HTTP: &netv1alpha1.HTTPIngressRuleValue{
 					// The order of the paths is sensitive, always put tls challenge first
-					Paths: append(routeresources.MakeACMEIngressPaths(acmeChallenges, dm.GetName()),
+					Paths: append(paths,
 						[]netv1alpha1.HTTPIngressPath{{
 							RewriteHost: hostName,
 							Splits: []netv1alpha1.IngressBackendSplit{{

pkg/reconciler/route/resources/ingress.go

@@ -185,8 +185,9 @@ func makeIngressSpec(
 			}
 			// If this is a public rule, we need to configure ACME challenge paths.
 			if visibility == netv1alpha1.IngressVisibilityExternalIP {
-				rule.HTTP.Paths = append(
-					MakeACMEIngressPaths(acmeChallenges, domains...), rule.HTTP.Paths...)
+				paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains)
+				rule.Hosts = append(hosts, rule.Hosts...)
+				rule.HTTP.Paths = append(paths, rule.HTTP.Paths...)
 			}
 			rules = append(rules, rule)
 		}
@@ -214,7 +215,7 @@ func getChallengeHosts(challenges []netv1alpha1.HTTP01Challenge) map[string]netv
 	return c
 }
 
-func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, visibility netv1alpha1.IngressVisibility) ([]string, error) {
+func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, visibility netv1alpha1.IngressVisibility) (sets.String, error) {
 	hostname, err := domains.HostnameFromTemplate(ctx, r.Name, targetName)
 	if err != nil {
 		return nil, err
@@ -232,18 +233,20 @@ func routeDomain(ctx context.Context, targetName string, r *servingv1.Route, vis
 	if isClusterLocal {
 		domains = ingress.ExpandedHosts(sets.NewString(domains...)).List()
 	}
-	return domains, err
+	return sets.NewString(domains...), err
 }
 
 // MakeACMEIngressPaths returns a set of netv1alpha1.HTTPIngressPath
 // that can be used to perform ACME challenges.
-func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains ...string) []netv1alpha1.HTTPIngressPath {
+func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains sets.String) ([]netv1alpha1.HTTPIngressPath, []string) {
 	challenges := getChallengeHosts(acmeChallenges)
+
 	paths := make([]netv1alpha1.HTTPIngressPath, 0, len(challenges))
-	for _, domain := range domains {
-		challenge, ok := challenges[domain]
-		if !ok {
-			continue
+	var extraHosts []string
+
+	for _, challenge := range challenges {
+		if !domains.Has(challenge.URL.Host) {
+			extraHosts = append(extraHosts, challenge.URL.Host)
 		}
 
 		paths = append(paths, netv1alpha1.HTTPIngressPath{
@@ -258,16 +261,16 @@ func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains
 			Path: challenge.URL.Path,
 		})
 	}
-	return paths
+	return paths, extraHosts
 }
 
-func makeIngressRule(domains []string, ns string,
+func makeIngressRule(domains sets.String, ns string,
 	visibility netv1alpha1.IngressVisibility,
 	targets traffic.RevisionTargets,
 	roCfgs []*traffic.ConfigurationRollout,
 	encryption bool) netv1alpha1.IngressRule {
 	return netv1alpha1.IngressRule{
-		Hosts:      domains,
+		Hosts:      domains.List(),
 		Visibility: visibility,
 		HTTP: &netv1alpha1.HTTPIngressRuleValue{
 			Paths: []netv1alpha1.HTTPIngressPath{

pkg/reconciler/route/resources/ingress_test.go

@@ -26,6 +26,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	"knative.dev/networking/pkg/apis/networking"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
@@ -853,7 +854,7 @@ func TestMakeIngressSpecCorrectRulesWithTagBasedRouting(t *testing.T) {
 
 // One active target.
 func TestMakeIngressRuleVanilla(t *testing.T) {
-	domains := []string{"a.com", "b.org"}
+	domains := sets.NewString("a.com", "b.org")
 	targets := traffic.RevisionTargets{{
 		TrafficTarget: v1.TrafficTarget{
 			ConfigurationName: "config",
@@ -913,7 +914,7 @@ func TestMakeIngressRuleZeroPercentTarget(t *testing.T) {
 			Percent:           ptr.Int64(0),
 		},
 	}}
-	domains := []string{"test.org"}
+	domains := sets.NewString("test.org")
 	tc := &traffic.Config{
 		Targets: map[string]traffic.RevisionTargets{
 			traffic.DefaultTarget: targets,
@@ -969,7 +970,7 @@ func TestMakeIngressRuleTwoTargets(t *testing.T) {
 		},
 	}
 	ro := tc.BuildRollout()
-	domains := []string{"test.org"}
+	domains := sets.NewString("test.org")
 	rule := makeIngressRule(domains, ns, netv1alpha1.IngressVisibilityExternalIP,
 		targets, ro.RolloutsByTag("a-tag"), false /* internal encryption */)
 	expected := netv1alpha1.IngressRule{

pkg/reconciler/route/table_test.go

@@ -2758,6 +2758,15 @@ func TestReconcileEnableAutoTLS(t *testing.T) {
 						ServiceName:      "cm-solver",
 						ServicePort:      intstr.FromInt(8090),
 						ServiceNamespace: "default",
+					}, {
+						URL: &apis.URL{
+							Scheme: "http",
+							Host:   "k.example.com",
+							Path:   "/.well-known/acme-challenge/challengeToken2",
+						},
+						ServiceName:      "cm-solver",
+						ServicePort:      intstr.FromInt(8090),
+						ServiceNamespace: "default",
 					}},
 				},
 			},
@@ -2788,6 +2797,15 @@ func TestReconcileEnableAutoTLS(t *testing.T) {
 					ServiceName:      "cm-solver",
 					ServicePort:      intstr.FromInt(8090),
 					ServiceNamespace: "default",
+				}, {
+					URL: &apis.URL{
+						Scheme: "http",
+						Host:   "k.example.com",
+						Path:   "/.well-known/acme-challenge/challengeToken2",
+					},
+					ServiceName:      "cm-solver",
+					ServicePort:      intstr.FromInt(8090),
+					ServiceNamespace: "default",
 				}},
 			),
 			simpleK8sService(

test/e2e-auto-tls-tests.sh

@@ -72,12 +72,13 @@ function setup_auto_tls_common() {
 }
 
 function cleanup_auto_tls_common() {
-  cleanup_custom_domain
+  true
+  # cleanup_custom_domain
 
-  toggle_feature autoTLS Disabled config-network
-  toggle_feature autocreateClusterDomainClaims false config-network
-  toggle_feature namespace-wildcard-cert-selector "" config-network
-  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
+  # toggle_feature autoTLS Disabled config-network
+  # toggle_feature autocreateClusterDomainClaims false config-network
+  # toggle_feature namespace-wildcard-cert-selector "" config-network
+  # kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
 }
 
 function setup_http01_auto_tls() {
@@ -86,7 +87,7 @@ function setup_http01_auto_tls() {
   # Rely on the built-in naming (for logstream)
   unset TLS_SERVICE_NAME
   # The full host name of the Knative Service. This is used to configure the DNS record.
-  export AUTO_TLS_TEST_FULL_HOST_NAME="*.${TLS_TEST_NAMESPACE}.${CUSTOM_DOMAIN_SUFFIX}"
+  export AUTO_TLS_TEST_FULL_HOST_NAME="*.${CUSTOM_DOMAIN_SUFFIX}"
 
   kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
 
@@ -158,6 +159,9 @@ function delete_dns_record() {
   fi
 }
 
+
+export ENABLE_GKE_TELEMETRY=true
+
 # Script entry point.
 initialize "$@" --skip-istio-addon --min-nodes=4 --max-nodes=4 --enable-ha --cluster-version=1.24
 
@@ -175,33 +179,32 @@ if [[ -z "${INGRESS_CLASS}" \
   alpha="--enable-alpha"
 fi
 
-AUTO_TLS_TEST_OPTIONS="${AUTO_TLS_TEST_OPTIONS:-${alpha} --enable-beta}"
+AUTO_TLS_TEST_OPTIONS="${AUTO_TLS_TEST_OPTIONS:-${alpha} --enable-beta -skip-cleanup-on-fail}"
 
 # Auto TLS E2E tests mutate the cluster and must be ran separately
 # because they need auto-tls and cert-manager specific configurations
 subheader "Setup auto tls"
 setup_auto_tls_common
 add_trap "cleanup_auto_tls_common" EXIT SIGKILL SIGTERM SIGQUIT
 
-subheader "Auto TLS test for per-ksvc certificate provision using self-signed CA"
-setup_selfsigned_per_ksvc_auto_tls
-go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
-kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/
+# subheader "Auto TLS test for per-ksvc certificate provision using self-signed CA"
+# setup_selfsigned_per_ksvc_auto_tls
+# go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
+# kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/
 
-subheader "Auto TLS test for per-namespace certificate provision using self-signed CA"
-setup_selfsigned_per_namespace_auto_tls
-add_trap "cleanup_per_selfsigned_namespace_auto_tls" SIGKILL SIGTERM SIGQUIT
-go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
-cleanup_per_selfsigned_namespace_auto_tls
+# subheader "Auto TLS test for per-namespace certificate provision using self-signed CA"
+# setup_selfsigned_per_namespace_auto_tls
+# add_trap "cleanup_per_selfsigned_namespace_auto_tls" SIGKILL SIGTERM SIGQUIT
+# go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
+# cleanup_per_selfsigned_namespace_auto_tls
 
-if [[ ${RUN_HTTP01_AUTO_TLS_TESTS} -eq 1 ]]; then
+# if [[ ${RUN_HTTP01_AUTO_TLS_TESTS} -eq 1 ]]; then
   subheader "Auto TLS test for per-ksvc certificate provision using HTTP01 challenge"
   setup_http01_auto_tls
   add_trap "delete_dns_record" SIGKILL SIGTERM SIGQUIT
   go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
-  kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/http01/
   delete_dns_record
-fi
+# fi
 
 (( failed )) && fail_test
 

test/e2e/autotls/auto_tls_test.go

@@ -94,6 +94,8 @@ func testAutoTLS(t *testing.T) {
 	if len(env.TLSServiceName) != 0 {
 		names.Service = env.TLSServiceName
 	}
+	names.Service = names.Service + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+	names.Service = names.Service[:60]
 	test.EnsureTearDown(t, clients, &names)
 
 	objects, err := v1test.CreateServiceReady(t, clients, &names)

third_party/cert-manager-latest/net-certmanager.yaml

@@ -19,7 +19,7 @@ metadata:
   name: knative-serving-certmanager
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     serving.knative.dev/controller: "true"
     networking.knative.dev/certificate-provider: cert-manager
@@ -52,7 +52,7 @@ metadata:
   name: config.webhook.net-certmanager.networking.internal.knative.dev
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 webhooks:
@@ -93,7 +93,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 
@@ -119,7 +119,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 data:
@@ -168,7 +168,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
@@ -182,15 +182,15 @@ spec:
       labels:
         app: net-certmanager-controller
         app.kubernetes.io/component: net-certmanager
-        app.kubernetes.io/version: "20230123-cce02568"
+        app.kubernetes.io/version: devel
         app.kubernetes.io/name: knative-serving
     spec:
       serviceAccountName: controller
       containers:
         - name: controller
           # This is the Go import path for the binary that is containerized
           # and substituted here.
-          image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/controller@sha256:61651eca0cbf2ab83ccdb2d64f98bee041b2869008b9e86c41714311ecdadda5
+          image: gcr.io/pivotal-knative/dave/controller-b5455ad1ba7b683d126966c08026cd15@sha256:5a786db6b17acc5c3e2037bda2442d85544522768deae3677d9732af4aef9572
           resources:
             requests:
               cpu: 30m
@@ -229,7 +229,7 @@ metadata:
   labels:
     app: net-certmanager-controller
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
   name: net-certmanager-controller
@@ -268,7 +268,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
@@ -283,7 +283,7 @@ spec:
       labels:
         app: net-certmanager-webhook
         app.kubernetes.io/component: net-certmanager
-        app.kubernetes.io/version: "20230123-cce02568"
+        app.kubernetes.io/version: devel
         app.kubernetes.io/name: knative-serving
         role: net-certmanager-webhook
     spec:
@@ -292,7 +292,7 @@ spec:
         - name: webhook
           # This is the Go import path for the binary that is containerized
           # and substituted here.
-          image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/webhook@sha256:2f65e85b9cf2d8a10507c1fc02333ca00350864235d4bfab1dc28c7a8d2e61a2
+          image: gcr.io/pivotal-knative/dave/webhook-29139c5ce1fe7007906a2b725aaa018b@sha256:dca6101881eec45ce0fc293efccec3dbe17c9a1e621073cd92bab9fdf366c84a
           resources:
             requests:
               cpu: 20m
@@ -356,7 +356,7 @@ metadata:
   labels:
     role: net-certmanager-webhook
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20230123-cce02568"
+    app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec: